A key advisory body, which is lending a hand in the rewrite of Europe's law for safeguarding information, has today reeled off its concerns over Viviane Reding's draft data protection bill.
The European Data Protection Supervisor (EDPS) warned that the rules laid out in the justice commissioner's proposal, which was published on 25 January, fall short of an all-embracing overhaul of the 17-year-old Data Protection Directive legislation.
"The proposed regulation constitutes a huge step forward for the right to data protection in Europe. However, we are unfortunately still far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy," said Peter Hustinx of EDPS.
"The proposals are disappointing in the law enforcement area, and they leave many existing EU data protection instruments untouched, such as the data protection rules for the EU institutions and bodies and also all the specific law enforcement instruments," he added.
The EDPS listed a number of worries regarding Reding's proposal, which is being mulled over in the European Parliament and by the Council of Ministers to allow EU member states to scrutinise the bill.
It issued these warnings:
- the lack of legal certainty about the further use of personal data by law enforcement authorities;
- the lack of a general duty for law enforcement authorities to demonstrate compliance with data protection requirements;
- the weak conditions for transfers to third countries; [and]
- the unduly limited powers of supervisory authorities.
The EDPS claimed that many aspects of Reding's proposed rewrite of Europe's data protection regulation fail to meet "the requirement of a consistent and high level of data protection".
Britain's privacy watchdog, the ICO, has similarly expressed concern about some of the provisions laid out in the draft bill.
Information Commissioner Christopher Graham, speaking at a data protection debate in London last week, said that there was "a lot to question" about Reding's "half-baked" proposal.
The ICO already noted in its initial scrutiny of Reding's rewrite that the commissioner effectively needs a reality check on policing non-EU data controllers because cross-border enforcement mechanisms are not adequately provided in the bill.
"This assertion that the regulation can be enforced just because they're [non-EU companies] marketing to European citizens isn't going to happen," Graham said last week. In the same debate he labelled Reding's approach to data protection regulation as "anal". ®