EDPS publishes new Proportionality Guidelines aimed at making privacy-friendly policymaking easier
New European Data Protection Supervisor (EDPS) Guidelines on assessing proportionality aim to provide policymakers with practical tools to help assess the compliance of proposed EU measures that would impact the fundamental rights to privacy and the protection of personal data with the Charter of Fundamental Rights, the European Data Protection Supervisor said today, as he published the Guidelines.
Wojciech Wiewiórowski, EDPS, said: “Any proposed limitation of the right to the protection of personal data must comply with EU law.This means ensuring that this limitation is both necessary and proportional. Our Proportionality Guidelines, combined with the Necessity Toolkit we published in 2017, aim to make the assessment of necessity and proportionality quicker and easier for policymakers, helping them to ensure that all new EU proposals respect the fundamental right to personal data protection.”
Keeping data protection at the forefront of EU policy discussions is vital. The EU’s General Data Protection Regulation (GDPR) is built on Article 8 of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the European Union, which state that all individuals have the right to the protection of their own personal data. The EU legislator must therefore enact legislation that complies with these overarching constitutional principles and any restriction of these rights must comply with certain criteria: it must be provided for by law; must respect the essence of the fundamental right in question and must be both necessary and proportional, taking into account not only the aims of the measure itself, but also the need to protect rights and freedoms in general.
One of the tasks of the EDPS is to provide advice on new legislative instruments and policy proposals to the European Commission, the European Parliament and to the Council. This might be at their request, in response to a mandatory consultation by the Commission under Article 42 of Regulation 2018/1725 for example, or on his own initiative. As new EU proposals now routinely imply the processing of personal data, it is vitally important to ensure that policymakers are well-equipped to adequately assess the necessity and proportionality of a proposed measure. Building on relevant case law and recent EDPS legislative Opinions and formal Comments, the EDPS Proportionality Guidelines and the Necessity Toolkit provide practical guidance to help address these key dimensions from the start of the legislative process, therefore facilitating responsible and informed EU policymaking.
The EDPS recognises that, in what is now a digital world, policymakers are presented with increasingly complex issues, all of which must be taken into account in the drafting of legislation and policy proposals. As the new Commission gets to work, the EDPS is certain that both his Proportionality Guidelines and the Necessity Toolkit can play a significant role in simplifying the challenges faced by policymakers and therefore help them to ensure that fundamental rights are always adequately protected.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on 5 December 2019 to serve a five-year term.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.