EU Privacy Chiefs Group Weighs In On Data Protection Reform Endgame

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

June 19 — Acting quickly to make their presence felt in final negotiations over landmark European Union data protection reforms, the Article 29 Working Party of data protection authorities from the 28 EU member states June 18 highlighted the issues it said negotiators should consider in crafting the final version of the proposed data protection regulation to replace the 20-year-old EU Data Protection Directive (95/46/EC).

In letters to the main negotiators who will finalize the draft EU data protection regulation, the Art. 29 Party said that the primary issues that “deserve your special attention” were the relationship between the regulation and a separate proposed law on data processing for law enforcement purposes, the definition of personal data, the purpose limitation, the protection of data subject rights and the governance of data protection in the EU under the regulation.

The Art. 29 letters were addressed to the European Parliament's lead negotiators on the data protection reform: German Member of the European Parliament Jan Philipp Albrecht; EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová ; and Ilze Juhansone, Latvia's permanent representative to the EU. Latvia will represent EU member states in the first meeting to finalize the regulation, which is scheduled for June 24.

The series of documents also include an annex in which the Working Party identified some “areas of concern that need further attention in the perspective of the trilogue between European institutions.”

The European Commission, the EU's executive arm, proposed the data protection regulation in January 2012 to replace the 1995 EU Data Protection Directive.

An agreement between EU justice ministers June 15 on an EU member states' compromise position on the regulation triggered talks to complete the reform with the European Parliament. The Parliament adopted its position on the proposed reform in March 2014.

Areas of Concern 

The Art. 29 Working Party raised several main points in the series of documents.

The Working Party said a separate proposed directive on the processing of data by law enforcement authorities, which was released by the commission at the same time as the draft regulation, should be “exclusively for data protection in the law enforcement sector” and shouldn't have its scope broadened to include processing that would normally be covered by the regulation.

There should be a clear definition of personal data, the Working Party said. Although pseudonymization could be encouraged, pseudonymized data should be treated as personal data and not as a separate category, it said.

The processing of data without the consent of the data subject should only be done for “compatible purposes,” and the new law shouldn't allow “controllers to process data for a purpose that is incompatible” with the original consent, the Working Party said.

It said DPAs should have “appropriate powers of enforcement and sufficient resources” to protect data subject rights.

The European Data Protection Board, a centralized body that is likely to have the power to issue binding decisions in cross-border privacy cases, should have “real functional and financial independence,” the Working Party said.

Art. 29 Working Party Chairwoman Isabelle Falque-Pierrotin discussed the issues at a briefing June 17 ahead of the publication of the letters. Speaking at the briefing, she said that a relatively limited set of issues relating to the data protection reform remained to be resolved and that negotiations should be able to wrap up by the end of 2015.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Katie W. Johnson at

The Art. 29 Party's letters to Juhansone, Albrecht and Jourová, as well as an annex that describes the core issues in more detail, are available at

Request Bloomberg Law: Privacy & Data Security