"To protect personal data, support innovation, preserve individual liberties"


EU data protection regulation: a major step forward at the European Parliament

24 October 2013

On 21 October, the Civil Liberties, Justice and Home Affairs Committee (LIBE) adopted on a strong majority its position on the proposed EU data protection regulation, as well as on the directive proposed in parallel in the area of police and justice.

The vote of the LIBE Committee is a powerful political signal. It is the expression of a strong political identity of the European Union on an issue that is crucial in terms of values as well as economically.

The CNIL welcomes the fact that the LIBE Committee has not further delayed its vote and has voted at the same time on both proposals, thus showing its commitment to a package approach to the protection of personal data.

In general, the data protection principles and the rights of the citizens come out strengthened from this vote, and so do the data controller’s and processor’s obligations. Also noteworthy are the more dissuasive sanctions.
Moreover, on many points, the recommendations made by the CNIL were followed.

In respect of the PRISM revelations and as explicitly asked by the CNIL from the beginning of 2013, the LIBE text introduces a control by the data protection authorities on requests for access to data of European citizens coming from administrative or judicial authorities of third countries. This response, indeed partial yet politically important, is a first step in building a legal framework that offers more protection against the intelligence activities of third countries.

Regarding the draft directive and as recommended by the CNIL, the processing of biometrical data is governed by stricter rules than in the Commission’s proposal. Also, Member States are explicitly left the possibility to offer a higher level of protection.

The process is not finished and the texts will evolve. At this stage, the CNIL remains concerned about the following major aspects of the draft regulation:

  • The criterion of competence of data protection authorities based on the citizens that are targeted should appear more explicitly in the body of the text;
  • In cross-border situations, the concerned citizens should be able to seek judicial redress against decisions affecting them with the administrative court of their country of residence;
  • Pseudonymous data remain personal data. Any idea of a derogatory regime for such data should be dismissed as it would lead to excluding a growing part of personal data from the protection they deserve.
Chargement en cours...