Background

  27.1  The draft Regulation, which would apply to the EC institutions and bodies rules on the protection of personal data broadly similar to those that apply to Member States, has been under scrutiny for a year. Both we, and our sister Committee in the House of Lords, have raised a number of questions with the Minister of State at the Home Office (Mrs Barbara Roche) about the scope and precision of the measure and the powers of the proposed independent data protection authority — the European Data Protection Supervisor (EDPS).

  27.2  When we last considered the draft Regulation (in May)[93], we decided not to clear it until we were reassured that sufficient safeguards were built into the measure. The Minister has now written, addressing our concerns. She has also deposited a new text (document (b)), together with an Explanatory Memorandum.

The Minister's letter

  27.3  The Minister writes:

"The Committee's comments relate to the desirability of the Regulation's making more specific provision on certain matters than it currently does. They refer first to the need for Article 4 to set specific safeguards...


"In the Government's view, the amendments [to Article 4] can be seen as providing specific safeguards. It is true that in each case there is a general requirement upon the data controller to provide safeguards. But this is followed in each case by a clause which describes the particular provision to be made. The Government interprets this as requiring controllers to provide, as a minimum, the safeguards mentioned 'in particular' in each of the relevant paragraphs."


(The Minister then cites the exact clauses in the amended Article.)

  27.4  We also considered that Article 12.2 (which allows an exemption from the requirement on controllers to provide information to individuals when data about them are collected from third parties) should set the appropriate safeguards rather than requiring the controller to do so. The Minister tells us that the Presidency, in co-operation with the Commission, has proposed a redrafting which would require the institution or body to consult the EDPS before setting the safeguards. She considers that this consultation can itself be seen as a safeguard. (Document (b) contains this amendment.)

  27.5  Finally, we had raised concerns about Article 18, which allows EC institutions and bodies to adopt broadly-formulated exemptions administratively. The Minister agrees that more closely defined exemptions would have been preferable, but tells us that, as there was little support for this suggestion from other Member States, the Government is prepared to accept the current formulation.

Document (b) and the Government's views

  27.6  The Minister tells us that many amendments to the original text have been proposed, leading, in her view, to a much improved document, in terms of both form and content. She attaches to her Explanatory Memorandum a paper outlining the main changes, the key effects of which she describes as follows:

Structure


"The structure of the Regulation has been revised by removing unnecessary repetition and introducing a more logical order, particularly in Chapter V.


Legal points


"Some of the changes have been made to clarify the Regulation's consistency with EC law. In particular, the scope of the Regulation (Article 3) is now more limited. The original version would have applied to any processing of personal data by the EC institutions and bodies whether that processing was carried out under the First, Second or Third Pillars. The present version limits the scope to First Pillar processing.


Consistency with Data Protection Directives


"A number of amendments have been made to achieve a closer fit between the Regulation and the Data Protection Directives. These include, in particular, the addition of further or better safeguards. Some examples, among many, are the clarification of the safeguards in Article 4; the limitation of the derogation provided by Article 11.2; the inclusion in Article 13 of a reference to the data subject being able to exercise his/her right of access 'without constraint'.


Practicability


"The purpose of some amendments is to ensure that the rules established by the Regulation are capable of being applied effectively in practice. Examples are some of the amendments relating to the transfers of personal data in Section 2 of Chapter II (e.g. the addition of what is now Article 9.4); and some of those relating to prior checking in what is now Article 27.


The Supervisory Authority


"The provisions relating to the appointment of and the administrative arrangements for the EDPS have been clarified, as have those setting out his/her powers and duties."

Possible further amendments

  27.7  In her Explanatory Memorandum, the Minister tells us that the European Parliament is likely to propose further amendments to the text in relation to two significant issues — the scope of the measure in relation to Second and Third Pillar activities (about which we questioned the Minister in an earlier report⁴⁸), and the power of the EDPS to bring cases before the Community Courts.

  27.8  She expects the changes to the scope of the measure to include the following:

"—  a further amendment to Article 3.1 so that that provision would then read:

'This Regulation shall apply to the processing of personal data by the Community institutions and bodies insofar as such processing is carried out in the exercise of activities which fall wholly or partly within the scope of Community law.'

"This would be accompanied by an addition to Recital 12 referring to Article 6 TEU in the context of the processing carried out by the Community institutions and bodies under the Second and Third Pillars; and to the provisions on access to documents in Article 255 TEC which extend to the Second and Third Pillars.


"—  a new Recital 12aa referring to the current Third Pillar data protection initiatives (i.e. the development of common data protection rules for future Third Pillar instruments, and the creation of a common secretariat for the Third Pillar Joint Supervisory Bodies).


"—  the reworking of Article 45(f) of the draft Regulation to stress the need for the EDPS to co-operate with the Third Pillar supervisory authorities to improve the coherence of the application of data protection rules."

  27.9  In relation to the EDPS, the Minister expects the reinsertion of a power for the Supervisor to bring cases before the ECJ where the TEC provides for this.

  27.10  She tells us that the Government could accept all these amendments.

Timetable

  27.11  The Minister tells us that, if it proves possible for the European Parliament to agree the Regulation on first reading, the Presidency is expected to put the draft Regulation on the Internal Market Council agenda on 30 November with a view to its adoption.

Conclusion

  27.12  We thank the Minister for her letter, which helpfully addresses our questions. It was not clear from her earlier letter (in April) that she considered the amendments to Article 4 provided sufficient safeguards; it now appears that she is content with them, and with the new amendment to Article 12.2. We note that the Government is prepared to live with the current formulation of the exemptions in Article 18 although, like us, it would have preferred more detailed provision.

  27.13  We are pleased with the improvements in the new text, and we welcome the proposed changes, which should enable greater coherence across the three Pillars. We also welcome the likely reinstatement of the power for the European Data Protection Supervisor to bring cases before the ECJ, although we note that this will be a limited power unless or until the Treaty is amended.

  27.14  We clear both the documents.