The EU's independent privacy watchdog has stuck his oar into negotiations on a new EU-wide data protection law.
Despite having no formal role in drafting the new Data Protection Regulation, European Data Protection Supervisor (EDPS) Giovanni Buttarelli has sent his unsolicited recommendations to the three institutions involved. He has also launched an app to let legislators compare the texts from the EU Commission, the parliament and the EU Council with his own preferred version.
“Legislation is the art of the possible,” he said. “The options on the table each contain many worthy provisions, but each can be improved. The outcome will not be perfect in our view, but we intend to support the institutions in achieving the best possible outcome. That is why our recommendations stay within the boundaries of the three texts.”
The entire first page of Buttarelli's document, published (PDF, 12 pages) on Monday, is devoted to justifying why he’s decided to wade into the fray.
He largely backs the European Parliament's position, particularly on third-country data flows, a five per cent fine of global turnover for non-compliance, and purpose limitation for further processing. This last issue could prove one of the big sticking points.
The EU Council text of Article 6(4) would allow companies to change how and what they do with citizens' data if they can show “legitimate interest”. However, some countries are concerned that “legitimate interest” is too vague and would leave the door open for companies to abuse personal information.
“This is one point where we think there is no space for reducing existing safeguards,” said Buttarelli – and, given his independent role, the co-legislators may well take heed.
However, Buttarelli has already missed the boat on chapter 5 and article 3, which cover territorial scope and international data transfers. A political deal was reached on those drafts earlier this month.
In the case of a personal data breach which is likely to result in a risk for the rights and freedoms of individuals, Buttarelli wants companies to notify the relevant authorities “without undue delay and no later than 72 hours after having become aware of it.” The commission had proposed a 24-hour window.
With a self-imposed deadline of end of December, the clock is ticking on the three-way talks between the parliament, the council and the commission – but very few of them have downloaded Buttarelli's app. At the time of writing there had been fewer than 10 downloads of it from the Google Play store, one of those being your diligent reporter. An iOS version is also available – as well as a side-by-side comparison in a mammoth 520-page long PDF. ®