On Monday 22 September, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) organised an exchange of views on the digital simplification package - scheduled for the fourth quarter of this year - and the assessment of the digital legislative framework for the protection of fundamental rights, in particular to address the issue of administrative constraints without compromising the protection of these rights.
Julien Mousnier, Director for the Rule of Law, Fundamental Rights and Democracy at the European Commission’s Directorate-General for Justice, addressed the issue in the context of the GDPR. The aim is not to call into question the principles, but to adapt the obligations according to the level of risk, so that the formalities only fully apply to the processing of sensitive data, such as health data, criminal data, or other processing likely to threaten the rights and freedoms of individuals.
The main change proposed concerns the obligation to keep a register of data processing (Article 30 of the GDPR). The Commission wants this obligation to apply only to processing operations presenting a “high risk” to individual rights (Article 35), while extending the register exemption to medium-sized companies with up to 750 employees.
The aim is not to “deregulate”, but to remove procedural requirements that have little correlation with the effective protection of individuals, in order to maintain compliance efforts for sensitive operations.
Julien Mousnier also pointed out three safeguards necessary for the protection of rights.
Firstly, the principles of the GDPR remain untouchable. Processing must therefore be legal, limited to strictly necessary data, transparent and secure, while guaranteeing the rights of data subjects.
Then there is the principle of accountability (Article 5), under which data controllers must be able to demonstrate their compliance at any time.
Finally, there is the risk-based approach set out in the guidelines of the European Data Protection Board and in the national lists of processing operations requiring an impact assessment.
MEPs’ concerns focused on equal protection across the Union (avoiding different interpretations of “high risk”) and legal certainty for small structures, i.e. not replacing precise obligations with vague rules that would create legal uncertainty.
According to the European Commission, the definition of “high risk” remains governed by Article 35 of the GDPR and by the guidelines of the European Data Protection Board. The national authorities also publish lists of processing operations considered to be sensitive.
The Commission wants to avoid adding new obligations and prefers to clarify the existing rules. So competitiveness must not be achieved at the expense of rights. In fact, fewer formalities for low-risk treatments does not mean an end to liability.
Companies are still required to prove compliance, inform individuals, ensure security and cooperate with regulators.
However, when it comes to sensitive data relating to privacy, dignity or non-discrimination, the traceability and documentation requirements apply in full. (Original version in French by Nithya Paquiry)