In June 2015, the Council of Ministers of the European Union (the "Council") finally agreed a general approach on the proposed EU General Data Protection Regulation (the "GDPR"), paving the way for negotiations to commence between the European institutions to agree a final version of the new GDPR.
Back in January 2012, the European Commission (the "Commission") published its draft GDPR, signalling the start of the legislative process to agree a new regulatory regime for data protection in Europe. The proposals represented a significant overhaul of the existing regime and, whilst there was commentary at the time suggesting that they would be adopted by the end of 2012, the process has already taken much longer and there is still a way to go.
The first part of the legislative process following the Commission's proposals was for the European Parliament to adopt its first reading position. This was achieved on 12 March 2014, after taking into account over 4,000 proposed amendments on the draft text.
The next step in the legislative process was for the Council to review the Parliament's position and adopt its own first reading position. This was finally achieved over a year later on 15 June 2015 meaning that, over three years after its initial publication, the legislative process for the adoption of the GDPR can now enter its next phase and trilogue negotiations between the institutions can begin.
The adoption by the Council of its position marks a key step in the legislative process. However, whilst the process may start to gain a little momentum now, it is clear from the three texts available (the Commission's initial draft, the Parliament's position, and the Council's position) that the institutions remain conceptually far apart on a number of key aspects to the GDPR.
Key areas of difference
The following areas of the GDPR highlight some of the key differences in approach between the European institutions which will need to be negotiated and agreed as part of the trilogue discussions:
- Consent – One of the major criticisms of the current Data Protection Directive is the varying levels of consent required for different types of data processing. Both the Commission and the Parliament had sought to do away with this complexity in the GDPR by providing for consent to be freely given, specific, informed and explicit in relation to the processing of all types of data. The Council has amended this position by removing the requirement for explicit consent from processing of ordinary personal data, requiring instead “unambiguous” consent. The requirement for explicit consent is however reinstated in relation to the processing of sensitive personal data, meaning that, once again, differing levels of consent would be required for different types of personal data.
- Data Security Breach Notifications – One of the key new obligations under the GDPR looks likely to be the obligation upon data controllers to report data security breaches to their national regulatory authority. The Council have sought to impose a materiality threshold and restrict this notification requirement to breaches which are likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of data protected by professional secrecy, or any other significant economic or social disadvantage. The Council has also amended the draft text to require any data security breach notification to be made within 72 hours. The Commission's original text proposed a 24 hour deadline, and the Parliament's proposal required notification without undue delay.
- Data Protection Officer – The Commission’s original draft GDPR required a data controller/data processor to appoint a data protection officer ("DPO") when it employed more than 250 people. The Parliament’s position amended this requirement slightly but still required a DPO to be appointed in a number of circumstances. The Council has amended this requirement so that the appointment of a DPO would only be mandatory if required by EU or Member State law. Otherwise, it would be a voluntary action. Interestingly from an employment law perspective, the Commission and the Parliament also provided job security for the DPO. In their proposed texts, the DPO could only be dismissed if he or she no longer fulfilled the conditions required for the performance of his or her duties. In the Council’s proposed text, an amendment would allow for the DPO to be dismissed where there are serious grounds under the law of the Member State which justify the dismissal of an employee or civil servant.
- Subject Access Requests – A number of changes are being proposed by all three EU institutions in relation to subject access requests. Currently there is a nominal fee which must be paid together with any subject access request. The GDPR does away with the requirement for a fee unless the request is manifestly excessive, in which case a fee may be charged. The Council has amended this position so that there is no ability to charge a fee but a data controller may refuse to comply with a subject access request where it is manifestly excessive or unfounded. There are also changes to the timeframe for compliance. The Commission suggested a one month timeframe to comply with subject access request, with the potential to extend the timeframe by a further month. The Parliament amended the initial timeframe to 40 calendar days, and the Council has reverted to one month but with the ability to extend by a further two months.
- One Stop Shop – The idea of a "one stop shop" mechanism for regulating data protection was contained within the Commission's original draft of the GDPR. The Commission wanted to introduce a new framework which would avoid businesses having to engage with every national regulatory authority in each EU country that they process consumers' personal data. It wanted a new system which would allow businesses operating across the EU to answer to just one regulatory authority – in general the one based in the country of its main establishment. Under the Council’s proposals, data protection matters would be regulated differently depending on whether or not the complaint relates to activities in more than one Member State. The Council has proposed a new cooperation mechanism to take place between the "lead" regulatory authority and other concerned regulatory authorities, with disputes between the authorities being referred to a new European Data Protection Board.
- Sanctions – Whilst all the European institutions seem to agree that the level of fines imposed under the new GDPR should be increased from the current UK maximum of £500,000, there is still a large discrepancy between the institutions as to what that maximum level should be. The original Commission draft of the GDPR proposed maximum fines of up to EUR 1 million or 2% of annual worldwide turnover. The European Parliament then proposed raising this significantly to EUR 100 million or 5% of annual worldwide turnover. The Council's proposals have suggested a return to the figures originally suggested by the Commission.
With the adoption of a general approach by the Council, the three European institutions are now free to enter into a trilogue in order to try and agree a final position on the GDPR. Indeed, the first trilogue session took place on 24 June 2015 and a draft timetable for the remaining trilogue sessions published by the European Parliament envisages the institutions reaching final agreement on the GDPR by the end of 2015. Once adopted, there would then be a two year period before the GDPR was applied (i.e. it would practically come into effect towards the end of 2017).
This timetable may prove to be optimistic given the major issues outlined above which are still to be negotiated and agreed between the parties. However, it cannot be denied that we are now one step closer to a new data protection regime.
To view a copy of the Council's adopted position, please click here.