Last week Penningtons Manches attended the Europe Data Protection Congress in Brussels, organised by the International Association of Privacy Professionals (IAPP). Below, partner Jon Bartley reports on some of the comments made by data protection regulators at the Congress regarding the progress of the General Data Protection Regulation (GDPR) and the ongoing EU/US discussions on the Safe Harbor arrangement.
Among the attendees were Isabelle Falque-Pierrotin, President of the French Data Protection Authority (CNIL) and Chairwoman of the Article 29 Working Party, and Luca De Matteis, Justice Counsellor and Permanent Representation of Italy to the EU, and one of those responsible for pushing forwards the negotiations on the GDPR during Italy’s presidency of the EU.
Responding to criticism of the delays in finalising the text of the GDPR, Señor De Matteis was keen to stress that all member states were committed to adopting the new legal framework set out in the GDPR, and to ensuring high standards, but that they wanted it to be workable and to achieve the consent of all stakeholders.
In relation to the 'one stop shop' principle that has been the subject of much negotiation, Señor De Matteis explained that he was hopeful that a position had been reached during the Italian presidency which struck the right balance between ensuring that a single data protection authority would take the lead on enforcement issues, and allowing a data subject access to his or her local data protection authority, under the concept of 'proximity'. The European Data Protection Board would retain powers to intervene to ensure adherence to the GDPR and consistency.
Señor De Matteis is hopeful that their current proposal will be agreed during the next Council of Ministers meeting in December.
Señor De Matteis referred to the lobbying from some member states for the ability to exclude public sector organisations from the remit of the GDPR. The Italian view is that the GDPR should have universal application, but they are proposing a compromise position whereby, subject to compliance with the principles of the GDPR, member states may be given some room for manoeuvre to adopt specific rules applicable to the public sector.
Again, this compromise position will be presented to the Council of Ministers in December.
Señor De Matteis also referred to the overall desire to achieve the correct balance between, on the one hand, protecting the fundamental right to privacy and ensuring data controllers take a pro-active approach to addressing privacy risks, and on the other hand, controlling the administrative burden for organisations. He said he hoped that the correct balance had been struck in the Council draft that will be presented in December, and referred by way of example to the risk-based approach and the proposal to remove certain obligations for SMEs which were not involved in high risk processing.
Señor De Matteis expressed confidence that much had been achieved during the Italian presidency and that, following Italy’s handover of the presidency to Latvia in January, the momentum would continue with a view to finalising the GDPR by the end of 2015. In his view, the 'building blocks of this extremely complex legislation are falling into place one by one'.
It was also noteworthy that, in separate sessions, both Mme Falque-Pierrotin and Señor Giovanni Buttarelli, the incoming European Data Protection Supervisor, stressed the need for the US to deal with EU concerns regarding the Safe Harbor arrangement relating to transatlantic data transfers.
The arrangement has been called into question in the light of the Snowden revelations regarding US government surveillance and, almost a year ago, the European Commission issued a Communication calling on the US government to implement 13 recommendations to improve the functioning of the Safe Harbor arrangement.
In response to Mme Falque-Pierrotin’s demand for 'real answers' from the US, Julie Brill, US Federal Trade Commissioner, stated that the FTC was happy to work with the EU although the final two recommendations, requiring stricter controls over when personal data was accessed for national security purposes and disclosure regarding national security access, were outside the remit of the FTC. In a separate speech, Señor Buttarelli stated that a solution should be found to the Safe Harbor issue within six months.