The latest development in the complex procedural journey of the draft Regulation is the publication of a (mostly business-friendly) compromise text by the Presidency of the EU Council of Ministers. Datonomy takes stock of the current state of play, and highlights the Council’s “direction of travel” on some key practical issues.
What’s the latest news on the regulation?
Last week the EU Council’s Justice and Home Affairs Committee published a draft compromise text of the General Data Protection Regulation. This note from the Presidency to the Council summarises the key points. The Presidency’s marked up text will inform the Council’s negotiating stance with other EU institutions – notably LIBE, the lead European Parliamentary Committee, in the weeks and months ahead. The Presidency’s aim is to “secure broad support for its approach”. The text is significant because although it is by no means the final word, it “reflects the Presidency’s view of the state of play of negotiations at this stage”.
That the Presidency’s amendments reflect a more pragmatic, risk-based stance on the new rules is no surprise, given its statements earlier in the year which Datonomy reported on here. However, as the Presidency’s note states, “no part of the draft Regulation can at this stage be finally agreed until the whole Regulation is agreed”.
The Regulation has also been in the news over the past week because of comments by the proposal’s Rapporteur, German MEP Jan Albrecht, voicing concerns about the extent to which the proposals are at risk of being watered down by the business lobby – to the extent that the new rules could end up being “weaker than the old ones”.
What’s the prognosis for the reforms now, and what’s the timeline?
So, what are the next steps in the process and what is the outlook for the reforms? Should businesses still be gearing up for new rules adopted during 2014 and effective by mid 2016 as per the Commission’s original timetable?
It’s true that, despite the political momentum, the timetable has slipped. A key orientation vote by LIBE has been postponed twice, owing to the massive number of amendments proposed by lobbyists (3,000-4,000 depending on which source you read) – the date of this vote is not clear, although some sources have stated that this vote could still happen at the start of July. Formal negotiations between the Council and Parliament are not expected to kick off until the Autumn.
Opinion is divided on the outlook for the proposals. In a Commission press release Vice President Reding welcomed the text as representing “solid progress”. Mixing her seasonal sporting metaphors, she went on: “Despite the data protection sprint we have seen under the Irish presidency, we have not yet reached the finish line. The ball is now in two courts. The ball is in the Member States’ court to continue progress in the Council, and the ball is in the European Parliament’s court, to reach its own position on the proposals. They will need to move up a gear if they want this reform to happen sooner rather than later. The clock is ticking for international competitiveness.”
There are at least two ticking clocks. The most immediate (informal) deadline is 30 June 2013 when the Irish Presidency of the Council of Ministers ends. Those in favour of the reforms have been keen to see as much progress as possible before the supportive Presidency ends its tenure. The more significant deadline is Summer 2014 when the terms of the current Commission and Parliament expire. Mid 2014 is therefore seen as a make or break point for the adoption of the Regulation.
Key issues for businesses – what’s the Council’s stance?
The Council’s draft compromise text runs to 95 pages and covers Chapters 1 to 4 of the draft Regulation. Key areas of concern for businesses include the following.
- Sanctions: the Council’s draft does not cover enforcement aspects of the proposal, so does nothing to challenge the proposed fines of up to 2% of annual revenues for enterprises.
- General approach: overall, a more pragmatic, business-friendly, risk- based regime is proposed. In particular the new Recital 3(a) which makes it explicit that data protection rights need to be proportionate and balanced against the freedom to conduct a business. The obligations on controllers and processors take account of the nature, scope, context and purposes of processing obligations and the risk levels posed.
- DPOs: the designation of a DPO should be optional (unless required by other EU or national law as is currently the case, for example, in Germany).
- Extraterritorial reach: amendments to Recital 20 and Article 3 would limit the extra territorial reach of the regime; mere accessibility of a website to EU citizens would not suffice for the Regulation to apply to an overseas data controller based outside the EU. Factors such as language and currency used on a website would come into play in determining whether the test for “offering of goods or services” to EU data subjects would be met for the Regulation to apply. Similarly the “monitoring of data subjects’ behavior” trigger would be narrowed to behavior taking place within the EU.
- Data breach notification: the Council’s amendments introduce a seriousness threshold and a longer (72 hour) deadline for notification of security breaches to the regulator. The threshold for notifying affected individuals would also be raised, to breaches “severely” affecting the individual’s rights, with a number of other mitigating get-outs.
- Consent: for non sensitive personal data, the Council proposes a shift back from the “unrealistic” requirement for “explicit consent” across the board to a less stringent requirement for “unambiguous consent”. The criteria for valid consent have also been relaxed. (Recital 25 and Article 7)
- Legitimate interests condition: the Council proposes the widening of the legitimate interests, with fraud prevention, the anonymysing or pseudonymising of data and direct marketing being within the scope of “legitimate interests” (Recital 39).
- Scope of personal data: the scope of personal data and the dividing line with unregulated, anonymous data would be clarified (Recital 23, Article 4).
- Regulation or Directive? The Council acknowledges that 8 Member States (including the UK) oppose a directly effective regulation and therefore the text does not rule out the possibility of the new instrument being a Directive.
The Council’s amendments only deal with Chapters 1 to 4 of the draft Regulation; the Presidency acknowledges that further adjustments will be needed throughout rest of the proposal.
The Presidential baton passes: will Lithuania keep up the “Irish Sprint”?
So, to recap – and add to Madame Reding’s sporting metaphors. The ultimate finish line is still a long way off, with many hurdles still littering the track. All eyes will be on the passing of the baton from Ireland to Lithuania. What practical difference will it make? This press release by the incoming Lithuanian Presidency assures us that data protection reform is high on its priorities too. However, Datonomy notes this comment from Minister of Justice of Lithuania, Juozas Bernatonis:“Perhaps everybody agrees that the EU data protection reform is necessary; however, the search for solutions and appropriate balance between the protection of the rights of citizens and administrative burden for businesses should not be hasty and considered insufficiently,” Will the pace of the reforms keep up the “sprint” set by the Irish Presidency – or could it slow to a legislative marathon? Datonomy will provide further commentary as the race progresses.