New CEPIS Statement on the Future EU Data Protection Regulation


At the last Council meeting CEPIS Member Society representatives approved meeting a new CEPIS statement about the draft EU General Protection Regulation proposed by the European Commission  to replace the current Data Protection Directive adopted in 1995. In this statement CEPIS expresses its support to the Data Protection in Europe statement and it highlights a series of issues to take into a consideration with regard to data protection and privacy. For instance, pseudonymisation, anonymisation and encryption should not be misunderstood as a replacement for data protection by regulation or as reason to lower the level of data protection regulation Europe.

CEPIS Statement on the draft EU General Data Protection Regulation


CEPIS is aware of the new draft of a European Data Protection Regulation presented by the European Commission and the intensive discussion around this regulation in the European institutions, especially the European Parliament. CEPIS would like to express its support for the statement “Data Protection in Europe” of the more than 100 leading European academics calling for data protection in Europe not to be weakened (www.dataprotectioneu.eu). In parallel CEPIS would like to point out the following important additional issues with regard to data protection and privacy and recommend that they be considered in the discussion and addressed in the Regulation:

1) Pseudonymisation should not be misunderstood as a replacement for data protection by regulation, or as a reason to lower the level of data protection regulation in Europe. While pseudonymisation is a useful technical instrument for avoiding the immediate identification of individuals from related data, the respective individuals can still be identified by those parties who initially performed the pseudonymisation and often other parties, too. So pseudonymised data are still personal data and as such need the same level of protection as personal data.

2) Likewise anonymisation should not be misunderstood as a replacement for data protection by regulation or as a reason to lower the level of data protection regulation in Europe. While anonymisation is another useful technical instrument for avoiding the immediate identification of individuals from related data, even formally anonymized data can often be related to the respective individuals due to their contextual richness, e.g. personal movement data often identify a single person even if collected only for a very short time. From genetic data, names of supposedly anonymous people could be retrieved. With the advent of increasingly powerful data mining tools this process gets ever easier. Hence, anonymised data are still personal data and need to be protected by regulation in general and especially the new data protection regulation.

3) Moreover encryption should not be misunderstood as a replacement for data protection by regulation or as a reason to lower the level of data protection regulation in Europe. While encryption is a useful technical security mechanism it does not create a new category of data. Encrypted personal data can still be used to identify individuals if they are decrypted, which is possible for any party with access to the encryption keys.

4) Personal data should only be processed fairly and for legitimate purposes and should not be treated or presented as a tradable commodity without restrictions governed by the interests of those affected, as thiswould lead to an infringement of the fundamental right to privacy and data protection as enshrined at EU level.

5) Treating data as a tradable commodity overemphasizes the use of personal data in the private sector. In fact much of the data collection and processing takes place in the public sector and should be granted the same level of protection by data protection regulation.

6) Increased use of privacy enhancing technologies should be encouraged as a worthwhile contribution of informatics to improve data protection. Typical examples of such technologies are data minimizing techniques for communication, attribute-based credentials for authentication and authorisation, privacy preserving data mining, discrimination-aware data mining, transparency and feedback tools informed by users’ needs, as well as user-friendly privacy tools that empower users. Further technical and legal measures need to be taken against the infringement of privacy on mobile devices and platforms where identification is currently made into a condition for the use of hardware and software.

7) The claim for technology neutrality in regulation is a valuable ideal, but it should not be made into a sine qua non since there have always been specific new technological developments that posed specific new challenges for privacy and its protection. Recent examples include ubiquitous computing with e.g. localisation services and embedded sensors. Without due consideration of Articles 7-8 of the Charter of Fundamental Rights of the European Union, technology specifics, better (technical and organisational) solutions for data protection cannot be appropriately distinguished from suboptimal ones. The new data protection regulation should ensure regular evaluation of the effectiveness of data protection with regard to specific substantial technological developments and promote technology specific privacy enhancing technologies.

8) The establishment of "Data Protection Officers" within enterprises is helpful to relieve public authorities from supervising and enforcing granular checks and balances and to enable enterprises to better synchronize data protection measures with their business processes. However this is also needed for enterprises with fewer than 250 employees and any threshold should consider the relevance of personal data processing for the enterprise’s business: enterprises focusing on the processing of personal data need a data protection officer regardless of their size. Currently the best solution would be to enable member states to adjust the distribution of internal and external data protection according to the respective needs and national best practices and experiences.

9) The rules governing the transfer of personal data to third countries or international organisations outside of the EU should not be weakened compared to the current draft regulation. Otherwise the protection of European citizens is endangered as well as the reputation of Europe as a place of relatively privacy friendly data processing.

Download the CEPIS Statement on the draft EU General Data Protection