Earlier this month the EU Council took significant steps to progress the long-awaited General Data Protection Regulation by reaching a partial general approach on specific issues of the draft. In its meetings of 12 and 13 March, compromise was reached on key elements of the Council’s approach, including in relation to the “one-stop shop” mechanism and the general principles protecting personal data. EU ministers have called for the next meeting of the Council in June to be the forum for finalising its general approach.
According to the Council’s publication summarising the outcome of the meeting, the Council’s approach is that the one-stop shop mechanism should play a role in “important cross-border cases”, providing for “cooperation and joint decision-making” between the various data protection authorities concerned. The jointly agreed decision would be adopted by the data protection authority best placed to deliver the most effective protection from the perspective of the data subject, with a view to “ensure consistent application, provide legal certainty and reduce administrative burden”.
Ministers have endorsed a set of principles for lawful, fair and transparent data processing, in which emphasis has been placed on the processing of special categories of personal data.
The trialogue process between the EU Council, Commission and Parliament will follow the Council’s general approach; provided the process goes to plan, according to a tweet by EU Justice Commissioner Věra Jourová, we may be “on track for conclusion in 2015” (almost four years after the Commission finalised its approach). If the two year implementation period is maintained as envisaged, a 2017 implementation can be expected.
The Council has stated that the legislative reform aims at “creating a more rigorous and coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and provide for greater legal and practical certainty for economic operators and public authorities”. Now is the time for businesses and organisations to continue preparing for the Regulation by auditing their current approach, putting appropriate policies and procedures in place and raising awareness of the new requirements.