The General Data Protection Regulation - Where are we now?
Dr Jens Matthes
Catherine Di Lorenzo
09 June 2015
In 2012, the European Commission proposed the General Data Protection Regulation, with the aim to update and modernise the principles of the 1995 Data Protection Directive.
To become law, the proposed text will need to be adopted jointly by the European Parliament and the Council of Ministers (i.e. ‘ordinary legislative procedure’). In March 2014, the European Parliament voted in plenary and adopted a revised version of the Commission’s proposed text. The EU Council is currently defining its own position. Once the Council has come to an agreement on the full text (there is no time-limit for the Council to do this), there will be negotiations between the EU Commission, EU Parliament and EU Council to agree the final text.
In practice, in order to reach agreement on the full text, the EU Council (consisting of the relevant responsible ministers of each EU Member State) reaches political agreement on specific aspects in different stages (the so-called ‘partial general approach’). The EU Council has already reached several partial agreements on specific issues and chapters of the draft Regulation, although the Council is clear that this is in line with the principle that “nothing is agreed until everything is agreed”. Some “agreed” parts still face objections from some Member States.
In this update we consider the current position of the Council, some of the key issues currently being discussed and look at where we are now with the General Data Protection Regulation.
What has the EU Council agreed so far?
The EU Council has reached partial agreement on six out of the eleven chapters (and its corresponding recitals) of the draft Regulation. There is an agreement on:
- the basic principles of data protection, see here: The Council has agreed on a set of principles for lawful, fair and transparent data processing in a similar way as proposed by the EU Commission and adopted by the EU Parliament. One of the most significant changes made by the Council relates to the consent requirements, as a legal basis for processing a data subject’s personal data. The Council adds specific conditions for pre-formulated consent (“in an intelligible and easily accessible form, using clear and plain language and its content should not be unusual within the overall context”) and clarifies when consent should be regarded as ‘not freely given’. Furthermore, the Council introduces new principles that are beneficial for businesses: ‘pseudonymisation’ of personal data as a means to help meet data protection obligations; processing of personal data for ‘direct marketing’ as a legitimate interest basis; processing of clients' or employees' personal data within a group of undertakings for internal administrative purposes may be regarded as carried out for a legitimate interest; further processing of personal data for purposes other than initially collected is allowed under certain conditions.
- the rights and obligations of Controllers and Processors, see here: The existing general principles remain mainly unchanged. Nonetheless, some novelties are introduced by the Council. For example, the Council lays down detailed conditions and procedures on how the controller is to implement ‘appropriate measures’ in order to demonstrate compliance with the Regulation (risk assessment criteria, data minimisation, pseudonymising of personal data as soon as possible, transparency with regard to functioning and processing of personal data,…). Further, the Council continues to hold onto the proposed principle that non EU-based corporations processing personal data of EU citizens should appoint an EU based representative, but redefines the exemption to this principle by adding that this is “unless the processing is occasional and unlikely to result in a risk for the rights and freedoms of individuals" instead of taking into account the size of the corporation or the quantity of processing. Further, the controller is not required to communicate a personal data breach to the data subject if appropriate technological protection measures (e.g. encryption) are implemented. The requirement to appoint a Data Protection Officer has been made optional unless required by EU or Member States’ law. But, the Council also introduces new obligations on controllers and processors: e.g. an obligation to carry out a data processing impact assessment for the processing of certain types of data (e.g. health data, biometric data, data protected by professional secrecy,…); an obligation for data processors to obtain written consent from the controller before sub-contracting.
- the territorial scope and the transfer of personal data to third countries, see here: The territorial scope of the draft Regulation has always been a controversial issue. The Council agrees in general with the EU Commission and Parliament on applying the Regulation to non EU businesses where the processing activities relate to the offering of goods/services within the EU or where it relates to the monitoring of their behaviour “as far as their behaviour takes place within the EU”. As to the international transfer of data, the Council agrees mainly with the EU Parliament and EU Commission. However, the Council introduces two new grounds as an appropriate safeguard for international transfers: i.e. an ‘approved code of conduct’ and an ‘approved certification mechanism’ with binding and enforceable commitments.
- the role and co-operation of the supervisory authorities, including the ‘one-stop-shop’ mechanism for data protection supervision, see here: Currently, there is no obligation for national data protection authorities (DPAs) to cooperate and coordinate with each other. The one-stop-shop mechanism is aimed at streamlining data protection supervision in the EU when data is being processed in multiple jurisdictions. The EU Council has limited the original proposal by the EU Commission. Concerns were raised on enabling one single DPA to regulate and supervise the processing activities of a certain controller in all Member States (risk of forum shopping). According to the text agreed by the Council, the ‘one stop shop’ mechanism should only play a role in important cross-border cases and will provide for cooperation and joint decision-making between the relevant DPAs. Furthermore, the Council broadens the tasks and powers of the DPAs (e.g. corrective powers like issue warnings, impose administrative fines,…).
What are the remaining key issues?
In general, the key issues that the Council still needs to agree on are:
- the general provisions and the rights of the data subject: The main issue here includes ‘the right to be forgotten’. In the recent case ‘Google Spain’ of the EU Court of Justice, the Court ruled that individuals have the right – under certain conditions – to request that a third party remove information on them which is inaccurate, inadequate, irrelevant or excessive. It remains to be seen if the Council will codify the principle, the conditions and the exemptions as laid down in this ruling from the Court of Justice. Another key issue is the so-called ‘household exemption’ (to what extent do data protection rules apply to individuals processing data exclusively for personal activities). It seems that not all Member States are willing to extend this exemption in the Regulation.
- the remedies and sanction mechanisms: The main issue here remains finding agreement on the ‘administrative sanctions and fines’ to be imposed by DPAs for breaches of data protection law. The Commission proposed a maximum fine of EUR 1 million or 2% of the annual worldwide turnover of a company, where the EU Parliament, which is committed to sending a message that it attaches great importance to compliance, has raised this amount to EUR 100 million or 5% of the annual worldwide turnover of a company. It remains to be seen what position the EU Council will take and what compromise the EU Parliament is willing to accept in this respect.
What happens next?
Negotiations within the EU Council are entering their final stage. The EU's justice commissioner, VÄ›ra Jourová, has announced that it is important that the Council reach consensus on the Regulation at their next meeting on 15 June 2015.
If the Council comes to an agreement on the full text in June, the informal trilogue discussions (i.e. negotiation between the EU Commission, EU Parliament and EU Council) could still start before summer recess in August. Since there are no time limits at this stage of the legislative process, it remains to be seen how willing the institutions are to agree a final text. We believe the trilogue discussions will take more than 12 months to agree a final text, given the highly sensitive nature of the Regulation and taking into consideration the length and complexity of the text. Therefore, we do not expect that the Regulation will be adopted before the fall of 2016.