EESC opinion: General Data Protection Regulation

Key points

  • The EESC welcomes the general direction taken by the Commission, endorses the proposed choice of basis for legislation and agrees in principle with the objectives of the proposal.
  • The Committee continues to have some doubts as regards the choice of regulation as the legal instrument most suited to the goals set, and calls on the Commission to explain precisely why this instrument is preferable to a directive, and even crucial.
  • In the new context of the digital economy, the Committee shares the Commission's opinion that, "individuals have the right to enjoy effective control over their personal information" and considers that this right should be extended to cover the various purposes for which individual profiles are drawn up on the basis of data collected by numerous (legal and sometimes illegal) methods and its processing.
  • When it comes to delegated acts, references to which appear almost everywhere, the Committee cannot accept those that do not fall within the express scope of Article 290 TFEU.
  • The Committee welcomes the focus on creating a proper institutional framework to ensure that the legal provisions function effectively, both at company level (through data protection officers (DPOs)) and in Member States' public administrations (through independent supervisory authorities). It would, however, have appreciated an approach from the Commission that was more in line with the real needs and expectations of the public and that applied more systematically to certain fields of economic and social activity in accordance with their nature.
  • The EESC considers that several improvements and clarifications can be made to the proposed text and gives some detailed examples in this opinion in relation to a number of articles.
  • The EESC believes that search engines, the majority of whose revenue comes from targeted advertising thanks to their collection of personal data concerning the visitors to their sites, or indeed the profiling of those visitors, should come expressis verbis within the scope of the regulation. The same should go for the sites of servers providing storage space and, in some cases, cloud computing software, that can collect data on users for commercial ends.
  • The same should also apply to personal information published on social networks.
  • Lastly, the EESC calls on the Commission to reconsider certain aspects of the proposal that it deems unacceptable, in sensitive areas such as child protection, the right to object, profiling, certain restrictions to the rights granted, the threshold of 250 workers for the appointment of a DPO and the way in which the "one-stop shop" is organised.