CEPIS Statement on the draft EU General Data Protection Regulation


CEPIS is aware of the new draft of a European Data Protection Regulation presented by the European Commission and the intensive discussion around this regulation in the European institutions, especially the European Parliament. CEPIS would like to express its support for the statement “Data Protection in Europe” of the more than 100 leading European academics calling for data protection in Europe not to be weakened. In parallel CEPIS would like to point out the following important additional issues with regard to data protection and privacy and recommend that they be considered in the discussion and addressed in the Regulation:

Data Protection statement Image 11) Pseudonymisation should not be misunderstood as a replacement for data protection by regulation, or as a reason to lower the level of data protection regulation in Europe. While pseudonymisation is a useful technical instrument for avoiding the immediate identification of individuals from related data, the respective individuals can still be identified by those parties who initially performed the pseudonymisation and often other parties, too. So pseudonymised data are still personal data and as such need the same level of protection as personal data.

2) Likewise anonymisation should not be misunderstood as a replacement for data protection by regulation or as a reason to lower the level of data protection regulation in Europe. While anonymisation is another useful technical instrument for avoiding the immediate identification of individuals from related data, even formally anonymized data can often be related to the respective individuals due to their contextual richness, e.g. personal movement data often identify a single person even if collected only for a very short time. From genetic data, names of supposedly anonymous people could be retrieved. With the advent of increasingly powerful data mining tools this process gets ever easier. Hence, anonymised data are still personal data and need to be protected by regulation in general and especially the new data protection regulation.

3) Moreover encryption should not be misunderstood as a replacement for data protection by regulation or as a reason to lower the level of data protection regulation in Europe. While encryption is a useful technical security mechanism it does not create a new category of data. Encrypted personal data can still be used to identify individuals if they are decrypted, which is possible for any party with access to the encryption keys.

Data Protection statement Image 2

4) Personal data should only be processed fairly and for legitimate purposesand should not be treated or presented as a tradable commodity without restrictions governed by the interests of those affected, as thiswould lead to an infringement of the fundamental right to privacy and data protection as enshrined at EU level.

Data Protection statement Image 3

5) Treating data as a tradable commodity overemphasizes the use of personal data in the private sector.In fact much of the data collection and processing takes place in the public sector and should be granted the same level of protection by data protection regulation.

6) IncreasData Protection statement Image 4ed use of privacy enhancing technologies should be encouraged as a worthwhile contribution of informatics to improve data protection. Typical examples of such technologies are data minimizing techniques for communication, attribute-based credentials for authentication and authorisation, privacy preserving data mining, discrimination-aware data mining, transparency and feedback tools informed by users’ needs, as well as user-friendly privacy tools that empower users. Further technical and legal measures need to be taken against the infringement of privacy on mobile devices and platforms where identification is currently made into a condition for the use of hardware and software.

Data Protection statement Image 57) The claim for technology neutrality in regulation is a valuable ideal, but it should not be made into a sine qua non since there have always been specific new technological developments that posed specific new challenges for privacy and its protection. Recent examples include ubiquitous computing with e.g. localisation services and embedded sensors. Without due consideration of Articles 7-8 of the Charter of Fundamental Rights of the European Union, technology specifics, better (technical and organisational) solutions for data protection cannot be appropriately distinguished from suboptimal ones. The new data protection regulation should ensure regular evaluation of the effectiveness of data protection with regard to specific substantial technological developments and promote technology specific privacy enhancing technologies.

Data Protection statement Image 68) The establishment of "Data Protection Officers" within enterprises is helpful to relieve public authorities from supervising and enforcing granular checks and balances and to enable enterprises to better synchronize data protection measures with their business processes. However this is also needed for enterprises with fewer than 250 employees and any threshold should consider the relevance of personal data processing for the enterprise’s business: enterprises focusing on the processing of personal data need a data protection officer regardless of their size. Currently the best solution would be to enable member states to adjust the distribution of internal and external data protection according to the respective needs and national best practices and experiences.

Data Protection statement Image 7

9) The rules governing the transfer of personal data to third countries or international organisations outside of the EU should not be weakened compared to the current draft regulation. Otherwise the protection of European citizens is endangered as well as the reputation of Europe as a place of relatively privacy friendly data processing.

Download the CEPIS Statement on the draft EU General Data Protection