The new EU Data Protection regulation is now closer with the EU Council of ministers reaching an agreement on a general approach which still leaves some room for negotiations and further headaches…

Data protection experts might have lost any hope to see the final draft of the new EU Privacy Regulation during their life after that any step forward was followed by a number of steps backwards.  But after 3 years from the first draft, commentators are quite confident to see the EU data protection regulation finally approved by the end of the year.

The approval by the EU Council of the latest draft of the EU privacy regulation does NOT mean that the regulation is now approved.  Further discussions with the EU Parliament and Commission shall take place and a number of points of discussion appear still open:

1. Privacy fines

The European Parliament had requested fines up to € 100 million or up 5% of a company’s annual worldwide turnover, whichever is the greater, while the Council has lowered the maximum fines back to the greater of € 1 million or 2% of a company’s global annual turnover.

2. One stop shop

I already discussed about the “one-stop-shop” rule and its implications for US companies in this post.  The rationale is that companies shall deal with only one supervisory authority in all their European operations.  This might lead to some kind of “shopping” of authorities across Europe to identify the most “suitable” authority.  And maybe to limit such practice, the draft approved by the Council provides for the right of each national data protection authority to deal with a complaint if “the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State“.

3. Data breach notification

A major change to be introduced under the new EU privacy regulation is to oblige ANY entity to notify data breaches – such as cybercrimes affecting Internet of Things platforms – to the relevant data protection authority and the affected individuals (save for some circumstances), while at the moment this is imposed only on communications providers and – in Italy – in case of data breaches affecting biometric data.  But, the draft privacy regulation approved by the Council narrows down the scope of the obligation to breaches that are “likely to result in a high risk for the rights and freedoms of the individuals […] or any other significant economic and social disadvantage“.

4. Explicit consent

Where processing is based on consent, the European Parliament required this consent to be “explicit” whereas for the Council “unambiguous” consent suffices.  This is a crucial point for technologies such as those of the Internet of Things (IoT).  The attempt by data protection regulators to identify “innovative” solutions to grant privacy consent, as occurred in Italy with reference to cookies, might be considerably vanished by such strict approach on consent.  And considerable consequences might for instance occur with reference for instance to the solution that might be identified as part of the current data proctection consultation on the Internet of Things.

5. Data protection officer

The Council made the appointment of the data protection officer no longer an obligation, but left the matter open to the discretion of EU Member States.  This means again that the “shopping” for the most appropriate data protection authority and regime might depend also on such factors.