Europe's privacy chief lambasts proposed data protection changes

Rules have been relaxed to accommodate police forces, says independent data protection supervisor

The EU's proposed rules governing how law enforcement agencies will handle personal data are "unacceptably weak", according to Europe's independent Data Protection Supervisor (EDPS), Peter Hustinx (pictured).

Hustinx has published a critique of proposed changes to data protection legislation adopted by the Commission on 25 January.

He has expressed particular concern that a much lower standard of data handling will be required of law enforcement agencies compared with other entities.

"The proposed rules for data protection in the law enforcement area are unacceptably weak," says Hustinx.

"In many instances there is no justification whatsoever for departing from the rules provided in the proposed Regulation."

He has also highlighted concerns regarding the transfer of personal data outside the EU, and the diminished role of member state data protection offices.

Hustinx says the proposed changes won't impose a general duty for law enforcement authorities to demonstrate compliance with data protection requirements.

He also highlighted a lack of legal certainty about how law enforcement will be allowed further use of personal data beyond the initial purpose for collecting it.

"The law enforcement area requires some specific rules, but not a general lowering of the level of data protection," he says.

Hustinx has also highlighted the possible derogation for transferring data outside the EU, such as when a firm operating within the EU transfers personal data for processing in lower-cost countries.

Additionally, he criticised the excessive power vested in the European Commission's role to enforce consistency of data protection rules at the expense of member state data protection officers, such as the UK's Information Commissioner.

While welcoming the broad intent to harmonise EU data protection measures, Hustinx said there was still a long way to go before the legislation is fit for purpose.

"We are unfortunately still far from a comprehensive set of data protection rules on national and EU level in all areas of EU policy," he concluded.