Posted: 17/07/2015
On 15 June 2015 the EU Council of Ministers agreed on a general approach to the proposed EU Data Protection Regulation, which was first put forward by the European Commission back in January 2012. The Regulation contains measures aimed at harmonising data protection procedures across the EU and strengthening data protection rights. Once adopted, it will replace the existing Data Protection Directive (Council Directive (ED) 95/46/EC) and have direct effect in all EU member states. Local laws which implement the Data Protection Directive (such as the UK Data Protection Act 1998) will need to be repealed.
The next step for the Regulation is negotiations between the Council, the European Parliament and the Commission to agree on its final text. The first session is planned for 24 June 2015 and negotiations are expected to last until the end of 2015 or early 2016.
Key provisions in the draft Regulation proposed by the Council include:
The relevant supervisory authority will determine on a case-by-case basis the level of fine to be imposed in accordance with the Regulation's criteria, which range from a warning to a maximum fine of EUR 1 million or 2% of the worldwide annual turnover of the company, whichever is higher. This is lower than the fine proposed by the European Parliament of up to EUR 100 million or 5% of annual turnover, whichever is greater.
The Regulation extends to non-EU data processors as well as non-EU data controllers. The Regulation will apply not only to data controllers and data processors within the EU but also to those outside the EU whose data processing activities relate to the offering of goods or services to, or monitoring of data subjects (eg through the use of cookies or other tracking devices) within the EU. This means that it will apply, for example, to a US citizen if his data is processed by a company within the EU. It will also apply to a US company if it offers goods or services in the EU and collects data of EU citizens.
The Council’s draft requires data controllers to notify high risk personal data breaches to the supervisory authority in their jurisdiction upon becoming aware of such a breach and if possible, within 72 hours. Unless the affected data has had appropriate technological protection measures applied to it or would adversely affect a substantial public interest, the data controller is also required to notify the data subject without undue delay. This somewhat relaxes the onerous position in the Commission’s earlier proposal, which required notification within 24 hours of the breach.
This provision has been the subject of much debate. The Council’s draft provides that the data controller is under an obligation to erase personal data without undue delay in a number of circumstances including where the data was collected when the data subject was a child; where the data is no longer necessary for the original purpose; and where the data subject objects. This is not an absolute right and there are a number of exceptions, including where the processing is necessary for exercising the right of freedom of expression and information; the performance of a task carried out in the public interest; archiving purposes in the public interest; the establishment, exercise or defence of legal claims; and where it is required to comply with a legal obligation of the controller.
The Council’s draft is also more measured in terms of a data controller’s obligations. A data controller is obliged to take reasonable steps to have data erased, but can take account of available technology and the cost of implementation of such technology.
The right to portability aims to make it easier to move personal data from one service provider to another (eg to a different social network). In the Council’s draft of the Regulations, the right to data portability is limited to the data provided by the data subject to the controller. Data portability does not apply if it would infringe intellectual property rights in relation to the processing of the data.
The Council’s draft provides that the appointment of a data protection officer is voluntary unless required under EU legislation or the national law of individual member states. This differs from the position in earlier drafts from the Commission and the European Parliament, which both proposed that the appointment of a data protection officer would be compulsory once certain thresholds were met. The Commission proposed a threshold of 250 employees; and Parliament a threshold of 5,000 individuals in 12 months or sensitive data. The Council’s approach on this issue, if adopted, will allow a lack of harmonisation within member states on the need to appoint a data protection officer.
The one stop shop mechanism was proposed to reduce costs and provide legal certainty by allowing companies to deal with one Data Protection Authority (DPA) in the member state where it is established.
The one stop shop mechanism set out in the Council’s draft applies only in important transnational cases, with all interested DPAs having the right to be consulted and participate in joint operations. Decision making can be deferred to the new European Data Protection Board where there is disagreement between the DPAs.
The Council’s draft has certainly seen some changes which will be welcome to data controllers (particularly in relation to the reduction of fines and the increase in timescales for notification of high-risk breaches). However, it does retain some provisions which allow for national regulation of data protection issues (for example, in relation to handling of employee data) and seems to increase the circumstances in which national-specific data protection rules can apply (such as with the requirement to appoint a data protection officer). Therefore, it remains to be seen whether the Regulation, once it reaches final form, will meet the objective of genuinely providing greater harmonisation of the legal framework for data protection in practice within the EU.