Time running out to ensure effective data protection in the EU institutions

Giovanni Buttarelli

25 May 2018 will mark an important milestone in the history of data protection with the full application of the new General Data Protection Regulation (GDPR). Together with the Data Protection Directive for police and criminal justice authorities, the GDPR will set the standard for personal data processing for many years to come.

Through the GDPR, the EU has lead the way in safeguarding fundamental rights in the digital age. It reinforces the rights of individuals, strengthens legal guarantees and will allow for better and more consistent enforcement of data protection rules through the new European Data Protection Board, for which the EDPS will provide the Secretariat.

This major shift is certainly a reason to celebrate. I plan to raise a glass of Prosecco at midnight on 24 May together with my colleagues from national Data Protection Authorities.

However, we must not forget that our work is not yet finished. The data protection reform package remains incomplete.  Discussions on the rules applying to electronic communications (the new ePrivacy Regulation) and the EU institutions and bodies are still ongoing.

In particular, the European Parliament, the Council and the Commission are currently involved in trilogue negotiations on the new Regulation governing data protection in the EU institutions and bodies. The proposal aims to align the provisions of the current Regulation (EC) 45/2001 with the GDPR, to achieve a stronger and more coherent EU data protection framework. In March last year, we issued an Opinion on this proposal, based on our experience of 12 years of independent supervision, international cooperation and policy advice.

However, more than a year has passed since the Commission issued its proposal for the new Regulation. Its adoption should have been quick: largely a ‘technical’ exercise. After all, when the GDPR was adopted, the co-legislators agreed that the new data protection rules for EU institutions and bodies should become applicable at the same time as the GDPR (see Article 98 and recital 17 GDPR).

Indeed, there has been a sense of urgency since the beginning of the process. The Member States in the Council worked with remarkable speed and efficiency under the Maltese Presidency to reach a general approach of very high quality in June 2017. The European Parliament delivered its report slightly later, but made new proposals., designed to harmonise and supersede existing data protection regimes for three EU agencies already active or yet to be established in the law enforcement area: the EU Agency for Law Enforcement Cooperation (Europol), the EU Judicial Cooperation Unit (Eurojust) and the European Public Prosecutor’s Office (EPPO).

As reiterated in many EDPS Opinions, we welcome initiatives which seek to introduce more coherence and consistency in this area along with a limited number of justified specific provisions relating to so-called ‘operational data’ processed by EU law enforcement bodies. We continue to support the principle of ‘one law for all’ EU institutions and bodies, especially for administrative data, subject to coherent, specific rules applying to certain ‘core business’ law enforcement activities.

However, the latest Parliament proposals on these issues have become, objectively, a stumbling block in the trilogue phase of the negotiations, with the unintended consequence that we now face a possible delay in the entry into force of the new Regulation. This would represent a failure of the co-legislator to comply with its own commitments and is an outcome that must be avoided.

As I have discussed before and most recently with representatives of the main stakeholders, including the Rapporteur and the Presidency of the Council, the importance of the new Regulation for all EU institutions and bodies cannot be underestimated. It is a statement of the EU’s commitment to subject itself to the same rules that will apply to others under the GDPR and the law enforcement directive. EU citizens must be able to enjoy the same strengthened rights vis-à-vis EU institutions and bodies under the new Regulation for the EU institutions as they will enjoy under the GDPR. There can be no special treatment for the ’EU bubble’. The strongest way to send this signal is to adopt these updated rules in time for them to be fully applicable on 25 May 2018.

As the supervisory authority of the 66 EU institutions, bodies, offices and agencies, we have been working hard over the past two years, together with all institutions and bodies, to make the transition to the new Regulation a success. Since the adoption of the GDPR, the internal groundwork and the assistance provided to EU institutions to ensure their timely preparation has been a top priority. We have updated existing guidance documents, prepared new ones and launched the update of existing thematic guidelines, while also organising working groups and workshops to enhance cooperation with EU institutions and their Data Protection Officers, providing guidance on how to deal with Data Protection Impact Assessments, for example. In addition, we have organised training sessions on the forthcoming changes, conducted targeted accountability visits and participated in meetings with the top management of EU institutions, with the intention of raising awareness. We plan to continue these efforts, with training sessions for about 200 EU staff members due to take place this month and further sessions scheduled for in the near future.

On this basis, I am confident that both the EDPS and the EU institutions are ready to implement the new rules from 25 May 2018.

The co-legislators have, in practice, already reached an agreement on practically all issues related to the alignment of the legal framework for the processing of administrative personal data by all EU institutions, bodies, offices and agencies with the GDPR. Though some issues are still formally pending, compromise solutions are in sight, and we appreciate the ongoing effort being made. The main, and almost the only, significant problem concerns the subset of the so-called operational data processed by Europol, Eurojust and EPPO, mentioned above. As I say, this is certainly a point of strategic importance. However, the discussion on operational data is only relevant for a small subset of existing EU institutions and bodies. In other words, unless an institutional agreement is reached in the few coming days, discussions about operational data, which are inevitably complex and difficult and which may require an additional techniocal exercise, should not become an obstacle to the swift application of the remaining new rules to all other EU institutions, which have now largely been agreed upon by the co-legislators.

Naturally, the coherence and consistency of the overall EU data protection framework remains of the utmost importance. The EDPS has, on several occasions, in the past called on the Commission to propose a robust and comprehensive system, which would make data protection in the EU more coherent and effective, and ensure a sound environment for further developments in the years to come. The Commission  chose a different approach based on separate steps. They put forward a separate legal instrument for data protection in the law enforcement area already in the initial phase of the data protection reform, followed by a separate regulation on privacy and confidentiality of electronic communications, as well as the proposal for the Regulation for EU institutions currently at issue. Clearly, compliance with baseline requirements of the Charter of Fundamental Rights was considered the primary objective, the number of legislative acts in which the relevant provisions are set out being a secondary consideration.

Today, acknowledging that this fragmented legal framework is the best outcome achievable in the context of the negotiations on the new Regulation for the EU institutions and bodies equates to political realism. The work towards a more coherent data protection framework in the Union should undoubtedly continue and be completed soon.

Failure (that is: delay), is not an option. The EDPS fully respects the important points raised in discussion by the three main institutions. But I also  urge the European Parliament, the Council and the Commission to once again rise to the challenge before them and, once the negotiations formally resume under the leadership of the Bulgarian Presidency, find a very quick compromise and close this file with a sustainable outcome. Alternative procedural solutions may be explored within the legislative process, should such an outcome not be acceptable to all parties concerned and cannot be successfully negotiated within the very tight framework imposed by the full applicability of the GDPR. We understand that is not technically easy a) to introduce a more uniform legal framework and b) recognise specific requirements for operational data by avoiding any lowering of existing safeguards and standards. 

Needless to say, I will continue to follow the process closely and to provide any support that the Bulgarian Presidency, the Rapporteur and the Commission might consider necessary.