We've been writing versions of this article for a few years now, marking the passage of the General Data Protection Regulation (GDPR) to enactment. Much as suspected, 2015 did not see the introduction of the GDPR but real progress has been made.
What progress was made in 2015?
The Council version
The Ministers in the Justice Council announced their agreed general approach on the Commission proposals for a GDPR in June 2015. This was a major step towards finalising the legislation. Among the proposals agreed by the Council were:
- one Europe, one law – a single harmonised data protection law for the whole of Europe;
- the 'one stop shop' approach – companies will deal with one law, not 28, and notification requirements will be removed. Individuals will only have to deal with their home national data protection authority (DPA) in their own language, even if their data is processed outside their home country;
- enhanced data subject rights – the right to be forgotten (provided it does not encroach on the freedom of expression and information) and the right to data portability are supported by the Council;
- jurisdiction – the Council agrees that non-EU companies will be required to comply with European data protection law when offering services in the EU;
- enhanced powers for data protection authorities – DPAs will be given enhanced enforcement powers including the ability to levy fines of up to 1m Euros or up to 2% of annual global company turnover;
- data breaches – serious data breaches will have to be reported to the relevant DPA as soon as possible and within 24 hours if feasible;
- data protection by design and default – the Council intends for these to become essential principles in EU data protection rules; and
- consistency mechanism – proposals to ensure that the rules are applied the same way in each Member State by streamlining cooperation between DPAs.
The Council draft proposed far greater flexibility for Member States about how and what they implement across large parts of the GDPR, including many of the data subject rights, than the Commission and Parliament versions. The obvious explanation for this is that it was the only way stalemate in the negotiations could be overcome.
The GDPR then moved to the final stages of negotiation as trilogues between the Commission, the Parliament and the Council began in June to resolve differences between the three proposals and agree the definitive legislation. The intention was to agree a general position in October and complete the process by the end of the year although at the time of writing, this seems unlikely to be achieved.
The Article 29 Working Party's Opinion
As the trilogues began, the Article 29 Working Party (WP) wrote to representatives of the three institutions involved in agreeing the GDPR, formally giving its Opinion on issues it felt required special attention which included:
- the legislation must be in the form of a Regulation. The scope of the proposed Directive should not go wider than currently proposed;
- personal data should be defined in a broad manner in line with technical evolution and take into account CJEU judgments on the extent to which IP addresses and other identifiers constitute personal data. The WP encourages pseudonymisation but says it should not be defined as a separate category of data with lower standards of protection;
- it should be possible for controllers to process personal data for purposes that are not incompatible with the purpose for which the data was originally collected, provided there is a legal basis. Processing for archiving and research should also remain possible and be considered as a not incompatible purpose. The importance of retaining the purpose limitation is also stressed;
- existing rights must not be reduced and the data portability right should be included. Data Protection Authorities (DPAs) must be endowed with sufficient resource and powers to allow them to enforce effectively, not just in terms of sanctions (which must be sufficiently weighty to act as a real deterrent) but also in terms of providing guidance and compliance tools; and
- a new governance model based on proximity to citizens and efficiency for business. Sufficient powers for DPAs and increased cooperation between them via a lead DPA and, where necessary, a financially and functionally independent EDPB will be necessary.
The EDPS Opinion and suggested text
This was followed in July by an Opinion from the European Data Protection Supervisor (EDPS) together with suggested text compared with other versions and an app to allow comparative comments as trilogues progress. The EDPS stressed he is not involved in the trilogues and his role is to offer advice proactively. Among the recommendations were:
- data processing must be both lawful and justified and purpose limited;
- consent should be granular with the ability to give broad or narrow consent;
- legitimate purposes should not be a justification for third party transfers;
- more independent, authoritative supervision;
- rules which will work in practice and which depend on effective safeguards not procedures;
- a better equilibrium between public interest and personal data so that data protection rules do not hamper historical, statistical and scientific research which is genuinely in the public interest; and
- future-proofed rules.
The EDPS also called for revision of the ePrivacy Directive and Regulation 45/2001. The EDPS warned against weakening data protection rights during the negotiation process but also recommended facilitating innovation with a legal framework which is positive towards technological benefits.
The ICO's views
The ICO published his own views in September. Points to note include:
- the ICO thinks the Council's draft gives too much scope to the development of different European regimes;
- while the ICO supports the exclusion of the concept of pseudonymous data as a separate category of data, saying it should be used only as a privacy enhancing technique, it thinks the Council's drafting allows for confusion as to the treatment of pseudonymous data with the possibility that some will be personal data and some will not be;
- the ICO does not agree with the Council's Article 6 which deals with the concept of incompatible further processing purposes as it confuses legal justifications for processing with purpose limitation. The ICO says any incompatible processing should only be allowed strictly within the terms of a relevant exception of the data protection principle;
- the ICO criticises the Council's drafting for confusing references to explicit and unambiguous consent and says there should be a single, high standard category of consent to avoid uncertainty;
- the ICO is concerned that the Council requirement for parental consent to processing of child personal data is too restrictive, particularly as it appears to apply to older children as well as those under 13. The ICO says older children should have independent access to some services provided the necessary privacy protection is in place;
- there is concern that the suggested methods of communicating information to data subjects are too traditional and do not encourage finding innovative ways to deliver increasingly complex information to "ordinary people";
- the Council's provisions around when a charge for a subject access request (SAR) might be levied are criticised as unclear. The ICO is not against such a charge in principle, provided it is clear when it can be imposed. The ICO is also concerned that under the Council's draft, there is no obligation to disclose personal data under a SAR where it would involve disclosure of the personal data of another data subject. The ICO says the third party's data should only be withheld where their right to privacy outweighs the data subject's right to access the data;
- the ICO is against the use of the phrase "right to be forgotten" on the basis that it will lead individuals to believe they have an absolute right to deletion of their data which is not the case – a right to erasure is seen as preferable;
- the ICO is against the right to object to processing being watered down from the original Commission proposals;
- the ICO is in favour of the right to object to automated processing including profiling being limited to situations where the data subject is significantly affected but is critical of the Council's requirement for a "human intervention safeguard" which it believes is not always practical;
- the ICO does not think the Article 28 documentation requirement should apply to SMEs;
- the ICO supports the introduction of a de minimis concept in relation to the reporting of data breaches – the Council text refers to "high-risk breaches";
- there is concern that as failure to consult a supervisory authority on risk mitigation measures can fall into the highest fine tier, data controllers will be over cautious and consult too frequently. The ICO is of the view that a requirement to consult should only be obligatory in exceptional circumstances if at all;
- the ICO supports increased flexibility in when a data protection officer (DPO) needs to be appointed but is critical of the prescriptive nature of a DPO's required qualities and functions as set out in the Council draft;
- the 'one stop shop' principle has been watered down and is too confusing, in particular the role of the lead authority and the power of the EDPB;
- the three-tier fine system is too inflexible and does not allow for enough discretion by the supervisory authority. The ICO favours a list of offences which could attract a fine and the removal of the tiers.
So all the versions and all the opinions on the versions are in. The consultation process is over and now what remains is to take everything on board and agree a final version. There has not been a great deal of public visibility over the progress of the trilogues but the Commission remains hopeful that agreement will be reached and the final version of the GDPR will be published in early 2016. There are rumours that publication will be on 28 January 2016 (Data Protection Day) although some say we are more likely to be looking at the first half of the year.
It remains to be seen whether recent events around transatlantic data exports delay the GDPR and when exactly agreement will be reached but unlike in previous years, it really does seem that next year will be the year of the GDPR. This would mean implementation during the course of 2018.
The ICO recently issued its own advice on getting up to speed with the Data Protection Act 1998 as a pre-cursor to the GDPR and you can also listen to Taylor Wessing's webinar on the subject as well as read our articles on key issues in the GDPR. It is safe to say that any cost impact of the GDPR will be reduced, or at least spread out for those who are well prepared.