26.02.2013

Irish Presidency note: Watering down the proposed General Data Protection Regulation?

The purpose of this Presidency note is to report to the Council on the progress achieved on the
Commission proposal for a General Data Protection Regulation.
[...]

IV. Conclusion
14. In view of the above, the Presidency suggests COREPER invite the Council

1) to take note of the above state of play;
2) to discuss whether
(a) controllers should have an obligation to engage in prior consultation with the supervisory authority where their risk assessment indicates that envisaged processing operations are likely to present a high degree of specific risk,
(b) the designation of a data protection officer should be optional rather than mandatory and whether the controller's obligations can be alleviated in cases where a data protection officer is then designated on a voluntary basis,
(c) the application of approved codes of conduct and the use of approved data protection certification mechanisms should be incentivised by establishing linkages with the risk assessment process;
3) to instruct DAPIX to continue work on the risk-based approach, inter alia, by
(a) further developing criteria for enabling the controller and processor to distinguish risk levels along the lines suggested in paragraph 6 above, in order to calibrate the application of their data protection obligations;
(b) further exploring the use of pseudonymous data as a means of calibrating controllers' and processors' data protection obligations; and
4) to instruct DAPIX to continue work on flexibility for the public sector along the lines suggested in paragraph 12 above, by clarifying the details that can be regulated under the law that provides the national legal basis for the data processing.


Source: Statewatch