The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (GUE/NGL, DE) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows.

Scope of the Regulation: Members stated that the Regulation shall also apply to Union agencies carrying out activities which fall within the scope of chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) under Title V of Part Three TFEU, including where the founding acts of these Union agencies lay down a standalone data protection regime for the processing of operational personal data. Provisions relating to specific processing of operational personal data contained in the founding acts of these agencies may particularise and complement the application of this Regulation.

The provisions on the specific processing of data contained in the founding acts of the agencies shall clarify and complete the application of the Regulation.

Transfer of personal data between Union institutions and bodies: such a transfer shall only be possible if the data are necessary for the legitimate performance of tasks falling within the competence of the recipient. The controller shall verify the competence of the recipient and provisionally evaluate the necessity for the transfer of such data.

Transmission of personal data to recipients established in the Union: personal data may only be transmitted to recipients established in the Union and subject to the General Data Protection Regulation (Regulation (EU) 2016/679) or the national rules adopted pursuant to Directive (EU) 2016/680 only if the controller demonstrates, on the basis of a reasoned request from the recipient that the transmission is proportionate and necessary for the purposes of serving the public interest such as transparency or good administration and after having demonstrably weighed the various competing interests.

Restrictions: the proposal provides that legal acts adopted on the basis of the Treaties or, for matters concerning the functioning of the Union's institutions or bodies, internal rules laid down by them may restrict the exercise of the rights of the data subject. Members proposed to delete the possibility for Union institutions, bodies, offices and agencies to restrict the exercise of data subject’s rights by way of internal rules. 

It is also specified that legal acts adopted on the basis of treaties to restrict the exercise of the rights of the person concerned shall be clear and precise. Their application shall be foreseeable to persons subject to it.

In particular, any legal act shall contain specific provisions at least, where relevant, as to: (i)  the purposes of the processing; (ii) the categories of personal data; (iii) the scope of the restriction introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (vii) the risks to the rights and freedoms of data subjects; and (viii) the right of data subjects to be informed about the restriction.

Approved certification mechanisms and codes of conduct: under the proposal, the controller should implement technical and organisational measures to ensure that processing is done in accordance with the Regulation and is able to demonstrate it.

Members inserted a provision stating that adherence to approved certification mechanisms as referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Adherence to an approved code of conduct may be used as an element by which to demonstrate compliance.

Register of processing activities: Union institutions and bodies shall be obliged to keep their records of processing activities in a central register and make the register publicly accessible.

Independent monitoring by the European Data Protection Supervisor (EDPS): all institutions and bodies, including the Court of Justice, shall be subject to independent supervision by the EDPS. Members proposed that the European Parliament and the Council appoint, by common accord, the EDPS for a period of five years, on the basis of a list drawn up jointly by the European Parliament, the Council and the Commission following a public call for candidates.

The EDPS and the national supervisory authorities, acting within the scope of their respective competencies, shall cooperate in the framework of their responsibilities in order to ensure effective and coordinated control of large-scale IT systems or Union bodies, offices or agencies.

Alignment with the General Data Protection Regulation: Members tabled a number of amendments aimed at aligning this proposed Regulation with the General Data Protection Regulation in order to streamline these two texts as much as possible and to make ensure that the Union is kept to the same standards as the Member States when it comes to data protection.

The provisions introduced by the Members include the following aspects:

• principles relating to the processing of operational personal data: for example, data lawfully and fairly processed, collected for specified, explicit and legitimate purposes, kept in a form that enables the data subject to be identified for no longer than not necessary, processed to ensure appropriate data security;
• prohibition of treatment of particular categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; processing of genetic and biometric data, data relating to health or a person’s sexual life or sexual orientation;
• distinction between different categories of data subjects;
• specific processing conditions;
• transmission of operational personal data to other Union institutions and bodies;
• information to be made available or given to the data subject;
• the right of access of the data subject and limitations of the right of access; right of rectification or erasure;
• transfer of operational personal data to third countries.

Review clause: no later than 1 June 2021, and every five years thereafter, the Commission shall report on the application of the Regulation, accompanied, if necessary, by appropriate legislative proposals.

PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the protection of natural persons in relation to the processing of personal data is a fundamental right. Moreover, in Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for adopting rules on the protection of personal data.

Regulation (EC) No 45/2001 of the European Parliament and of the Council provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies.

However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law.

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation.

Regulation (EU) 2016/679 stresses the need for the necessary adaptations of Regulation (EC) No 45/2001 in order to provide a strong and coherent data protection framework in the Union and to allow application at the same time as Regulation (EU) 2016/679.

It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States.

CONTENT: in order to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016, the Commission has proposed the following:

Objective: this proposed Regulation has a two-fold objective:

• to protect the fundamental right to data protection and to guarantee the free flow of personal data throughout the Union;
• to provide for the main tasks of the European Data Protection Supervisor (EDPS).

Scope: the proposal shall apply to the processing of personal data, by automated means or otherwise, by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Union law. The material scope of this Regulation is technologically neutral. The protection of personal data applies to the processing of personal data by automated means, as well as to manual processing if the personal data are contained or are intended to be contained in a filing system.

Levels of protection: new principles of transparency and of integrity and confidentiality have been incorporated into the new text. Further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them. It sets 13 years as the child's minimum age for valid consent.  New rules are provided for a specific level of protection on the transmission of personal data to recipients, other than Union institutions and bodies. The proposal clarifies that, where it is the controller initiating the transmission, it should demonstrate necessity and proportionality of the transmission.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Data controller’s obligations: the proposal specifies the controller's information obligations towards the data subject where personal data are collected from the data subject, providing information to the data subject, including on the storage period, the right to lodge a complaint and in relation to international transfers.

Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union law. This could apply for example in proceedings by services competent for social security or health matters.

Further modalities are provided to facilitate the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.

Obligations for EU institutions: the proposal provides for an obligation for Union institutions and bodies to inform the EDPS when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for an obligation for the Commission to consult the EDPS following the adoption of proposals for a legislative act and of recommendations or proposals to the Council and when preparing delegated acts or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.

Provisions are also laid down concerning the transfer of personal data to third countries or international organisations.

EDPS: specific provisions are laid down as regards the appointment of the EDPS by the European Parliament and the Council, the duration of its term of office: five years; the general conditions governing the performance of duties of the EDPS and his or her staff and the financial resources.