On 15 June 2015, the Council of the EU announced that it had agreed a general approach to the draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the proposed ‘GDPR’).
This agreement marks a notable step closer to updating EU data protection law, with the original aims of the GDPR being to enhance the level of personal data protection for individuals, to increase business opportunities in the digital Single Market, and to provide protective guarantees regarding transfers of personal data outside the EU.
The general approach was voted in by a majority of the Council of Ministers (Austria and Slovenia dissenting) based upon a text of the GDPR put forward by the Latvian Presidency. This text will provide the foundation for trilogue discussions commenced by the Council this week in negotiation with the European Commission and the European Parliament (three of the main EU institutions), with a view to reaching overall agreement on the final text of the GDPR to be adopted by the end of this year. This may be no mean task as the text approved by the Council differs markedly from the text adopted by the European Commission in January 2012, as well as theamendments to the Commission’s text proposed by the European Parliament in its first reading in March 2014.
Examples of issues of contention between the institutions include the following:
- The establishment of a ‘one-stop-shop’ for data protection investigations – In the Council’s press release announcing its general approach, it refers to the ‘one-stop-shop’ as a mechanism aimed at reducing costs and providing greater legal certainty in enforcement cases where several DPAs are involved. In particular, the main idea behind the introduction of the mechanism was to permit a single, supervisory DPA to take the lead in cases where a data controller is established in several EU Member States, thereby promoting the likelihood of a unanimous outcome across the EU. However, the added detail and extensive rules appended by the Council in its general approach (see Recital 97 onwards) would appear to dilute the prospect of achieving these objectives in practice.
- Consent – The Council deletes the Commission’s proposal that obtaining the data subject’s consent should not provide a legal basis for data processing in circumstances where there is “a significant imbalance between the position of data subject and the controller”. Furthermore, it inserts the word “unambiguous”, rather than the Parliament’s choice of phrase “explicit”, in describing the quality of the consent that must be obtained by data controllers from data subjects to provide a legal basis for processing their data. This small change can have big consequences in how data controllers – such as online service providers -interpret the extent of their compliance obligations.
- Fines – According to the Council, the level of fines that can be imposed on data controllers by data protection authorities (DPAs) for data protection compliance failings should have an upper limit of either 1 million EUR or 2% of annual global turnover of a company (whichever is higher). This is significantly smaller than the fining ceiling of up to 100 million EUR or 5% of annual global turnover suggested by the European Parliament.
- A risk-based approach to compliance – According to the Council’s press release, “[i]n order to reduce compliance costs, data controllers can, on the basis of an assessment of the risk involved in their processing of personal data, define risk levels and put in place measures in line with those levels”. In the text of its general position, however, the Council appears to take a less risk-averse approach than the Commission before it in defining compliance obligations that must be followed by all data controllers. For example, the Council proposes that only data security breaches that are “likely to result in a high risk for the rights and freedoms of the individuals […] or any other significant economic and social disadvantage“ be reported to DPAs. Furthermore, this should be within a period of no longer than 72 hours (rather than 24 hours, as proposed originally by the Commission) of the data controller becoming aware of the breach (Article 31(1)). Promotion of a risk-based approach is also a point of contention between the Council and the Parliament, with the latter taking a more absolutist stance on the protection of individuals’ fundamental rights to data protection in the GDPR. By contrast, the Council takes a more flexible position as reflected in its insertion of a new Recital (3a) in the GDPR emphasising that data protection is not an absolute right. [By way of illustration of the difference in approach, see the Google Spain case in which the Court of Justice of the EU (CJEU) dealt with issues regarding the data processing activities of search engine providers, their status as data controllers, and the existence and scope of a right to be forgotten. The Court made it clear that while the search engine’s commercial interests in processing the information will not, as a rule, override the data subject’s rights to privacy and data protection, a balancing of the data subject’s fundamental rights and the interests of other internet users in accessing that information must be carried out (para 81).] The Council also demonstrates its preference for a risk-based approach in its proposals that certain data protection obligations may be ‘turned off’ depending on the context and circumstances involved where personal data processing is carried out. One such example is illustrated in the Council’s treatment of the issue of pseudonymisation in the new GDPR.
- Pseudonymisation – Both the Parliament and the Council concur that pseudonymisation of personal data by data controllers should be encouraged as a measure that reduces the processing risks to data subjects. However, the Council’s general approach differs from the Parliament’s text regarding the extent to which reduced compliance obligations should apply to the processing of pseudonymised data. [The two institutions also take a different approach in their proposals for the wording of Recital 23 of the GDPR and how to determine whether a person can be deemed ‘identifiable’ from data – see Sophie’s earlierpost on this issue and the concept of pseudonymous data, commenting upon the text of an earlier, leaked Council draft of the GDPR.] Under the Council’s general agreed text, Article 10 states, “if the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller” – and, assuming that the same data controller “is not in a position to identify the data subject” (and can demonstrate as such if required) – a number of data subject rights would become inapplicable. The Council suggests these inapplicable rights should include the pseudonymous data subject’s right of access (Article 15), their right to rectification (Article 16), their right to erasure / to be forgotten (Article 17), and their right to portability (Article 18). [The Council also suggests the insertion of a new Article 12(4a) in the GDPR, which would require the controller to request additional information from an individual asserting a right if they have reasonable doubts about their identity.]
In summary, despite political agreement being reached by the Council over the general approach, this compromise has been achieved through the ‘watering down’ of some of the provisions proposed for inclusion in the GDPR and/or permitting more flexible applications of certain rules. This, in itself, belies much disagreement between Member States on some fundamental issues, as well as endorsement of a more risk-tailored approach to data protection obligations by the Council members generally.
Disagreement between the institutions about the content of the GDPR also extends to the issue of whether (and how much) power Member States should be given to supplement its provisions through national laws, as well as the proper scope of the Commission’s possible delegated powers. Examples of such ‘carve-outs’ put forward by the Council include powers for Member States: to modify the application of the GDPR to the public sector; to provide derogations when personal data are processed for historical, statistical, scientific, or archiving purposes; and, to decide whether to make mandatory an obligation upon companies to appoint data protection officers.
Critics may argue that such derogations (if they were to be included in the final GDPR text) undermine the likelihood of consistent data protection rules being applied across different Member States. Indeed, some may say that there is the risk of the original vision of the pan-EU harmonisation of data protection rules disappearing out of sight if the Council has its way.
Looking forward to the immediate future, in order to reach a consensus between the EU institutions, the ordinary legislative procedure prescribes that the Council and the European Parliament must agree on the same final text. Luxembourg’s Justice Minister, who will lead negotiations for the Council, said this week after the first trilogue meeting that the institutions have agreed on a “flexible roadmap” to reach this goal. How quickly this might be achievable, however, will depend on the strength of political impetus to see the GDPR pass its final hurdle. It will also involve significant compromise over the area of disagreement between the two texts endorsed by the Council and the Parliament, as well as obtaining the Commission’s seal of approval.
Of course, if agreement over a compromise text fails to be forthcoming, it may be a case of ‘back to square one’ as the Parliamentary members considering the GDPR upon a second reading may take a different view to those of their predecessor parliamentarians. What is clear for now is that, in light of the complexity of the issues that need to be worked through, final agreement is unlikely to be forthcoming any time soon this Summer.
This post originally appeared on the Peep Beep! blog and is reproduced with permission and thanks