The Presidency of the Council of the EU presented its draft conclusions for the Commission’s review of the Directive on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (2016/680) to the members of the Working Party on Data Protection on Thursday 23 September.
Acknowledging that the recent implementation of the Directive - in May 2018 - does not allow for the necessary hindsight, the EU Council calls first and foremost on the Commission to take greater account of the concrete cases existing in the Member States.
The draft conclusions also focus on decisions on the adequacy of a third country’s data processing rules with those in force in the EU.
The EU Council considers it “crucial” that future decisions, described as “an essential tool” for the safe transfer of data to third countries, are based on “compliance with all the criteria set for such decisions, including for onward transfers”. The document also stresses the need for such decisions to be subject to “ongoing monitoring and periodic review”.
So far, only two adequacy decisions have been issued recognising the adequacy of the rules on data protection and data processing between the UK and the EU.
On 21 May, MEPs expressed their reservations and asked the Commission to review its plans (see EUROPE 12724/16). Another adequacy process is also underway between the EU and South Korea (see EUROPE 12742/31).
Still on the subject of adequacy decisions, the EU Council would like the Commission to be able to request consultations with third countries for future decisions. Until that is possible, the examination of the level of protection can only be done at the request of a third country.
More investment, more consultation
Furthermore, the EU Council underlines that more investment from Member States or relevant EU institutions, such as the European Union Agency for Cybersecurity (ENISA) or the European Data Protection Supervisor (EDPS), would be welcome. This would allow, among other things, the establishment of a group of experts specialised in the field, according to the Presidency.
Similarly, the Slovenian Presidency considers that the EDPS should be more widely consulted in setting future directions.
Finally, the EU Council believes that Member States should be provided with clarification on certain issues, such as the definition of the term ‘competent authority’. Indeed, the document details that personal data can only be transmitted to “competent authorities of third countries”. However, their identification could prove - in some cases - likely to be complex.
The next meeting of the Working Party on Data Protection will take place on 14 October.
See the document: https://bit.ly/3ulUlIB (Original version in French by Thomas Mangin)