It is now three years since the European Commission published the draft General Data Protection Regulation. The publication of the draft Regulation generated significant commentary and debate among stakeholders across the EU, with a number of commentators initially predicting that it would be finalised and adopted by late 2014. As we know, the draft Regulation’s progress has been slower than initially predicted but on the occasion of Global Data Protection and Privacy Day (28 January 2015) it seems fitting to consider the latest developments in respect of the Regulation.
On 7 January 2015, the European Parliament’s lead rapporteur on data protection reforms, German MEP Jan Philipp Albrecht, warned that concerns raised by the UK, Germany and France raised serious doubts as to whether the Regulation could be finalised and adopted before the end of 2015. Mr Albrecht’s comments followed a commitment given by EU member states to adopt the Regulation “by 2015” as recently as October 2014.
Mr Albrecht stated that Germany and France are both concerned with the “one-stop-shop” approach proposed by the Regulation, the primary purpose of which is to enable international organisations to process personal data in multiple EU member states under the supervision and regulation of a single national data protection authority. Germany and France fear that this approach could result in the national data protection authority of a smaller member state deciding a data protection issue that affects the processing activities of an international organisation across the EU.
Mr Albrecht outlined that the UK is particularly concerned with the structure of the proposed reforms to the EU data protection regime. The UK strongly believes that the proposed changes to the EU data protection regime should be effected through a directive rather than by way of a regulation, as is currently proposed. The key distinction between these options is that an EU directive must be subsequently transposed into national laws by each Member State through implementing legislation, while an EU regulation uniformly applies across the EU without the need for any implementing legislation at a national level.
The UK, Germany and France have voiced these concerns with the Regulation during the course of the Council of the European Union’s consideration of the Regulation. The Council is comprised of the justice ministers of each Member State and it is the only EU institution still to agree its negotiating position on the Regulation, which must occur before the commencement of trilogues between the Commission, the Parliament and the Council to agree on the final wording of the Regulation.
Mr Albrecht’s comments also pointed to certain differences of opinion which exist between the EU institutions on the Regulation. In respect of the concept of individuals’ consent to the processing of their personal data, the Parliament and the Commission want the Regulation to require organisations seeking to rely on such consent to ensure that it is a freely given specific, informed and explicit indication of an individual’s wishes and that it takes the form of a statement or a clear affirmative action. Alternatively, the Council wants such consent to be “unambiguous”, which would generally be considered to be a less stringent test to satisfy.
The Parliament also wishes to see the maximum financial penalty for breaches of the Regulation to be set at 5% of the offending organisation’s global annual turnover. In contrast, the Council supports a maximum financial penalty of 2% of the offending organisation’s global turnover.
Mr Albrecht’s recent public comments make clear that significant differences of opinion remain to be resolved at a national level within the Council and at an institutional level within the EU before the Regulation can progress towards a final form and adoption. It is, however, hoped that by drawing attention to these outstanding differences, Mr Albrecht’s comments will help to focus minds at both an EU and national level on reaching agreement as to the form and content of the Regulation, and delivering on the commitment made by EU leaders in October 2014 to introduce the proposed reforms to the EU data protection regime before the end of 2015.