Committee on Civil Liberties, Justice and Home Affairs
INTERPARLIAMENTARY COMMITTEE MEETING
European Parliament - National Parliaments
The reform of the EU Data Protection framework - Building trust in a digital and global world
Tuesday, 9 October 2012, 9.00 – 18.30
Wednesday, 10 October 2012, 9.00 – 18.30
European Parliament, Brussels
Room József Antall (JAN) 4Q2
Organised with the support of the Directorate for Relations with national Parliaments
1. General introduction
In the digitalised and global world the way in which personal data are collected, accessed, used and transferred has been profoundly transformed and become increasingly sophisticated. New technologies allow for an ever-increasing volume of personal data. Likewise law enforcement authorities have significantly increased their processing of personal data activities for the performance of their tasks.
In this challenging environment, the protection of personal data has become an essential issue of interest as regards the rights of the individual with regard to the protection of her/his personal data, on one-side, and the question of necessary and proportionate processing of personal data, by private entities and public authorities, on the other side. Data protection is a fundamental right enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, and in Article 16 of the Treaty on the Functioning of the European Union (TFEU).
In that regard, based on the experience with the current Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31) and Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60),(1) as well as the input of the European Parliament(2), the Commission has proposed two new legal instruments - proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, COM(2012)0011) and proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (Data Protection Directive, COM(2012)0010). Initially the Commission intended to present a single horizontal instrument.(3) The two new instruments, if adopted, would substantially define the EU data protection principles and rules for the following decades. The aim of the two proposals, as stated by the Commission, is to establish a modern, strong and consistent legislative framework across Union policies, enhancing individuals' rights, deepening the Single Market dimension of data protection, cutting red tape for businesses, and addressing issues posed by transnational flows of personal data.
In that regard the two instruments should, inter alia, end the current fragmentation through specific national rules (therefore the form of a Regulation for the first proposal), extend common principles to purely internal data processing situations in the law enforcement area as well (as regards the Directive), so as to ensure a high level of protection of the fundamental right of the individual to data protection. As a consequence trust of individuals in the digital economy and trust of citizens in the protection of fundamental rights by police and judicial authorities of Member States would be enhanced, and hence contributing to economic growth and the efficient work of law enforcement authorities.
2. Main elements of the reform
The main elements of the reform are: - data protection as a fundamental right; - coverage of all kinds of situations and all kinds of sectors, - technological neutrality of the legal framework to cover different processing techniques - preventing fragmentation and providing legal certainty for individuals, enterprises and public entities, - providing harmonisation for processing of personal data by law enforcement authorities and the exchange between them, - ensuring the protection of EU individuals where personal data are transferred to third countries while providing safe and flexible tools for international data flows.(4)
In that regard the proposed instruments envisage several novelties. The proposal for a Regulation will introduce the concept of "main establishment", a single law applicable to data processing of a controller, the so called "one stop shop", the recognition of the right to be forgotten and the right to portability of personal data, data protection by design and by default, notification of data breaches, data protection officers, international transfers based on adequacy decisions or other appropriate safeguards, namely binding corporate rules, specific rules on data protection authorities with adequate enforcement powers, a consistency mechanism, sanctions, specific provisions on freedom of expression or the employment context. The instruments also clarify several provisions such as the notion of "consent", the provisions on profiling or the exercise of the data subject's rights. The proposal for a Directive sets out a harmonised framework with a minimum level of protection which will apply to processing of personal data by law enforcement authorities both at domestic level and in cases of exchanges of personal data between Member States' law enforcement authorities.
Such goals and the proposed changes arose a legitimate debate regarding, inter alia, questions on the appropriateness of the proposals to achieve the mentioned goals, the relation between general Union law and national specific laws, the inter-linkage of both legislative instruments especially in cases of law enforcement access to data held by private companies, proper safeguards as regards international data sharing and onward transfers, reduction of regulatory/administrative burden and costs for data controllers, appropriateness and effectiveness of sanctions, clarifications on “profiling”, "legitimate interest", "public interest" and "public security", portability of data, data protection by design and by default. Implementation as regards the role of the Commission through delegated and implementing acts and in the consistency mechanism, independence of and division of roles between data protection authorities, etc.
3. Objectives of this Interparliamentary meeting
The Interparliamentary Committee Meeting prepared jointly by the EP Committee on Civil Liberties, Justice and Home Affairs (LIBE) and the Legislative Dialogue Unit (LDU) is intended to reflect on some of the mentioned issues and to engage members of the European Parliament and national Parliaments in an exchange of views and a constructive dialogue. Such a dialogue is essential, as already several national Parliaments took special interest in the proposed instruments, as shown by several reasoned opinions(5) and contributions issued by national Parliaments.(6)
The two day meeting will be divided into seven sessions reflecting the main questions raised by the two proposals: I. The reform of the EU Data Protection framework (general discussion), II. Data protection rights, III. Data protection and law enforcement, IV. Data processors and controllers in the private sector, V. Implementation, DPAs and consistency, VI. Police data sharing and access to private data bases, and VII. Data protection in the global context. For each topic some specific questions were raised and provided beforehand to national Parliaments (see Annex).
Such a structured dialogue and its output will help the two LIBE Rapporteurs and the other Members of the LIBE Committee and the European Parliament in general to duly reflect on and take into account the concerns of national parliamentarians in the framework of the legislative procedure being conducted at EU level. The LIBE Committee will have an orientation vote in the first quarter of 2013.
Order of business
Tuesday, 9 October 2012
9.00 - 9.20 Opening by the President of the European Parliament
9.20 - 10.30 SESSION I - The reform of the EU Data Protection framework - Building trust in a digital and global world
Moderator:Juan Fernando LÓPEZ AGUILAR, Chair of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament
9.25 - 9.35 Ionas NICOLAOU, Chairman of the Committee on Legal Affairs of the Cyprus House of Representatives
9.35 - 9.45Loucas LOUCA, Minister of Justice, Cyprus Council Presidency
9.45 - 9.50 Francoise LE BAIL, Director General, DG JUSTICE, European Commission
9.50 - 10.30 Questions and Answers from national parliamentarians and MEPs
10.30 - 12.30SESSION II - Harmonised and strengthened data protection rights and principles for an interconnected world
Moderator:Jan Philipp ALBRECHT, Member of the European Parliament, Rapporteur on the Data Protection Regulation of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament
10.35 - 10.45Marietta KARAMANLI, Vice-Chairwoman of the European Affairs Committee of the French National Assembly
10.45 - 10.55 Gerrit HORNUNG, University of Passau
10.55 - 11.05 Jean GONIE, Director of Privacy,Microsoft Europe
17.40 - 17.50Alexander DIX, Commissioner for Data Protection and Freedom of Information for Berlin, Germany
17.50 - 18.00 Armin DUTTINE, European Economic and Social Committee
18.00 - 18.10 Frederik BORGESIUS, Institute for Information Law, University of Amsterdam
18.10 - 18.45 Questions and Answers from national parliamentarians and MEPs
Wednesday, 10 October 2012
9.00 - 10.45SESSION V - Implementation of Data Protection law. Ensuring consistency and efficiency.
Moderator:Marielle GALLO, Member of European Parliament, Draftsperson of the Committee on Legal Affairs of the European Parliament, and
Lara COMI, Member of European Parliament, Draftsperson of the EP Committee on the Internal Market and Consumer Protection of the European Parliament
9.05 - 9.15Peter ERIKSSON, Chairman of the Committee on the Constitution of the Swedish Parliament
9.15 - 9.25Peter HUSTINX, European Data Protection Supervisor
9.25 - 9.35Jacob KOHNSTAMM, President of the Article 29 Working Party
9.35 - 9.45 Mario OETHEIMER, European Union Agency for Fundamental Rights
9.45 - 10.45 Questions and Answers from national parliamentarians and MEPs
10.45- 12.30SESSION VI - Police data sharing and access to private data bases
Moderator:Timothy KIRKHOPE, Member of the European Parliament
10.50 -11.00Dr Konstantin VON NOTZ, Committee on Internal Affairs of the German Bundestag
11.00 - 11.10Frédéric TARDIF, Interior Ministry, France
11.10 - 11.20Joe MCNAMEE, European Digital Rights (EDRI)
11.20 - 11.30Eric TÖPFER,Researcher, Deutsches Institut für Menschenrechte, Germany
11.30 - 11.40Dr Wojciech WIEWIÓROWSKI, Inspector General for Personal Data Protection, Poland
11.40 - 12.30 Questions and Answers from national parliamentarians and MEPs
15.00- 16.30SESSION VII - Data Protection in the global context - (1st part) The transatlantic dimension
Moderator:Axel VOSS, Member of the European Parliament
15.05 - 15.15Sharon GESTHUIZEN, Standing Committee on Security and Justice of the Dutch Tweede Kamer
15.15 - 15.25 Paul NEMITZ, Director, DG JUSTICE, European Commission
15.25 - 15.35 David VLADECK, Director, U.S. Federal Trade Commission
15.35 - 15.45 Bruce SWARTZ, Deputy Assistant Attorney General, U.S Department of Justice
15.45 - 15.55 Cameron F. KERRY, General Counsel, U.S. Department of Commerce
15.55 - 16.45 Questions and Answers from national parliamentarians and MEPs
16.45- 18.00SESSION VII - Data Protection in the global context - (2nd part) What standards for effective protection
Moderator: Alexander ALVARO, Vice President of the European Parliament
16.50 - 17.00 Marc ROTENBERG, Electronic Privacy Information Center (EPIC)
17.00 - 17.10 Caspar BOWDEN,Privacy lawyer
17.10 - 17.20 Alexander SEGER, Head of the Data Protection and Cybercrime division, Council of Europe
17.20 - 17.30 Michael DONOHUE, Senior Policy Analyst,
Organisation for Economic Co-operation and Development (OECD)
17.30 - 18.00 Questions and Answers from national parliamentarians and MEPs
18.00 - 18.30Closing Session
Jan Philipp ALBRECHT and Dimitrios DROUTSAS, Rapporteurs on data protection of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament
IMPORTANT NOTICE FOR THOSE WISHING TO ATTEND
This meeting is open to the public. However, for security reasons, participants who do not have a European Parliament access badge must obtain a pass in advance. Those wishing to obtain such a pass should contact the secretariat (firstname.lastname@example.org) before 1 October 2012 at noon. It is essential to provide us with your LAST NAME, First name, date of birth, nationality, type of the ID (passport, identity card, driving licence, etc.), number of the ID, address and company/institution/organisation. Without this information, the Security Service will not provide entry passes.(7)
• During the discussion, so as to make it possible for the highest number of parliamentarians to intervene, speaking time of speakers will be limited to ten minutes and speaking time of other participants to two minutes per contribution or question.
• Members are kindly asked to fill in the sheet requesting speaking time (indicating their name and parliament) which will be distributed in the meeting room.
• Speakers wishing to supplement their speeches may do so in writing by submitting a document (preferably in English or French) in advance to the secretariat (email:
Please, find below for your convenience a link to the website of the European Commission on EU data protection in general and specifically on the two legislative proposals on data protection (General Data Protection Regulation and Data Protection Directive on criminal law):
SESSION I - The reform of the EU Data Protection framework - Building trust in a digital and global world
1.Do you see a necessity and added value in the proposed EU Data Protection reform (questions on subsidiarity and the chosen legal form - two instruments - regulation and directive)?
2.How do you see the relation between Union and national legislation (questions on subsidiarity and the chosen legal form - two instruments - regulation and directive)? Should there be more flexibility for Member States to regulate data processing in special situations? How would this affect the harmonisation of the internal market?
3.What are in your opinion the main missing elements, if any, of the current EU system of data protection based on Directive 95/46/EC and Framework Decision 2008/977/JHA?
4.How to ensure that the envisaged legislation will keep up with technological developments? Are, in your opinion, the principles of “privacy by design” and “privacy by default” an adequate approach?
SESSION II - Harmonised and strengthened data protection rights and principles for an interconnected world
5.What is your opinion about the provisions regarding the rights of data subjects and their applicability in practice, such as portability, right to be forgotten, deadlines to address requests for access, rectification?
6.What is your opinion about the principles underlying these rights, such as the need for a legal basis for data processing, the conditions for consent, or the notions of “public security” or “legitimate interest” as a basis for data processing?
SESSION III - Data protection and law enforcement challenges
SESSION VI - Police data sharing and access to private data bases
7.Should such a new framework also apply to purely domestic processing activities by law enforcement or should it be limited to cross-border cases only (question of reversed discrimination, data protection as a common fundamental right from the Charter, subsidiarity, etc.)?
8.There is a growing tendency by law enforcement to have access to data held by private companies for commercial purposes; how to ensure a proper balance between law enforcement needs and fundamental rights?
SESSION IV - Data controllers and processors in the private sector and employment sector (Free flow of information in the internal market)
9.Is the proposal reducing regulatory/administrative burden for data controllers, especially as regards small and medium enterprises (SMEs)?
10.How will the "one-stop shop" mechanism impact on the laws of the Member States and on the rights of the data subject (legal and linguistic obstacles, etc.)? How to guarantee that decisions are lawfully enforceable in the Member State of residence of the data subject?
11.How to ensure that the envisaged legislation will keep up with technological developments? Are, in your opinion, the principles of “privacy by design” and “privacy by default” an adequate approach?
11a. The proposed Regulation on data protection provides for granting of delegated/implementing powers to the Commission in several cases. What is your opinion about the provisions on conferral of such powers to the Commission? Do you consider that such a conferral is necessary and justified for the implementation of the Regulation in any of the envisaged cases?(8)
SESSION V - Implementation of data protection law. Ensuring consistency and efficiency.
12.How do you evaluate the proposed sanction mechanism (level of sanctions, proportionality, discretion, legal remedies, etc.)? How would this affect provisions in your Member State, and what are the experiences with the current model?
13.How do you evaluate the proposed consistency mechanism (the fact that national DPAs will be required to abide by the decision taken within the consistency mechanism, and the questions of their independence and the risk to act in breach of national law)? How do you perceive the proposed role of the Commission in that regard, especially as regards the question of independence of the European Data Protection Board?
14.How do you evaluate the resources of the data protection authority/authorities in your Member State? How to ensure they are sufficient in a world of ever more data processing?
14a. The proposed Regulation on data protection provides for granting of delegated/implementing powers to the Commission in several cases. Do you consider that such a conferral is necessary and justified for the implementation of the Regulation in any ofthe envisaged cases?(9)
SESSION VII - Data Protection in the global context
15.How do you evaluate the proposed international transfer mechanism in both proposals taking into account that the EU and third states frameworks are not always based on same principles and do not offer the same protections for individuals?
16. The Commission has indicated that its proposal aims at simplifying international transfers and overcome burden for controllers. Does this mean that data subjects' rights will be less protected?
17.Do you have any other remarks as regards the proposed reform package?
See EP working document of 6 July 2012 on the General Data Protection Regulation and on the Directive on the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences (PE491.322v01).
From the Belgian Chamber of Deputies, the French Senate, the German Bundesrat, the Italian Chamber of Deputies and the Swedish Riksdag for the proposed Regulation and from the German Bundesrat and the Swedish Riksdag for the proposed Directive.
From the Portuguese Parliament, the Czech Senate, the Italian Senate and the Dutch Eerste Kamer for the proposed Regulation and from the Portuguese Parliament, the Belgian Chamber of Representatives, the Spanish Cortes, the Czech Senate, the Italian Senate and the Dutch Eerste Kamer for the proposed Directive.