A political compromise has been reached on the new European Data Protection Regulation. On December 15, 2015, the negotiators in the so-called “informal trilogue” between the Council, the Parliament and the European Commission closed the final issues. Meanwhile, the Luxembourg Presidency informed the LIBE-Committee of the Parliament as well as the Permanent Representatives Committee of the Member States about the outcome. The LIBE-Committee will review the final changes on December 17, 2015, but the aim is not to request further changes. If the text is acceptable to the Parliament and the Council, the formal votes in the so-called early second reading will take place early 2016 and the new Regulation will come into force in early 2018.
In the last Trilogue meeting, agreement was reached on the following issues that had remained on the table until the eleventh hour:
1. High requirements for valid consent
Consent has to be given by “clear affirmation action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement.” In relation to special types of data (such as health data), the consent needs to be “explicit.” The Parliament wanted every type of consent to be “explicit,” but the Council asked for a lower threshold. However, silence, pre-ticked boxes or inactivity will not be considered valid consent. A statement in the recitals of the Regulation clarifying that browser settings could constitute consent was deleted in the final round of negotiations. The text also questions whether the provision of services can be made dependent on consent. The Council thought this was acceptable if the service could be reasonably obtained elsewhere. However, the Parliament did not agree on this clarification to the Recitals. The relevant Article only states in considering whether consent is freely given one should take “into account” whether the consent is conditional for the provision of a service. Consent for different purposes should be separated out in appropriate cases.
Overall, the Regulation sets out onerous requirements for valid consent and businesses will have to reconsider the risks involved in trying to request such consent form data subjects. Existing consents which do not comply with the new requirements will become invalid when the Regulation becomes applicable in 2018.
2. Broad exemptions for archiving, scientific, historical and statistical purposes
The Regulation can potentially hinder archiving or scientific, historical and statistical activities. The negotiators agreed that a number of exemptions with respect to purpose limitation, legal grounds and transparency should apply in these areas. With respect to archiving, these exemptions will only apply if carried out in the public interest. For the other areas, such public interest is not required. This outcome gives hope for “big data,” because it often fits under the categories of scientific, historical or statistical activities. For special types of data (such as health data), national laws will have to provide further safeguards and Member States are allowed to maintain and introduce further conditions. These national laws will probably lead to an uneven European playing field especially for big data in the health sector.
While the negotiators added a sentence stating that the national provisions should not hamper the free flow of data within the Union, that would seem unavoidable in practice given providers have to comply with the laws of each country in which they operate. Given that that Regulation provides for national flexibility in many areas, it will require a high degree of discipline by the Member States to avoid a negative impact on the envisaged harmonization.
3. Age limit for children’s protection is inconsistent
In the Triloque, the negotiators had already agreed that children must be 16 years to give valid consent without parental approval. In the last meeting, concerns were raised that the age limit was inconsistent with age limits in individual Member States. As a compromise, the parties agreed that generally children under 16 are not allowed to provide consent without parental approval, but Member States are permitted to reduce the age limit to 13 years. Another example of the Regulation providing inconsistent rules across Europe by providing flexibility for national laws.
4. No impact assessment for biometric data
The new Regulation requires data protect impact assessments if data processing is likely to result in a high risk to the rights and freedoms of individuals. The large scale processing of biometric data was mentioned as an example for such high risk data processing. However, in the last meeting of the Trilogue, the parties agreed to delete biometric data from the list of examples given the extended use of biometric data for identification purposes.
5. Standardized icons to allow easy transparency
The Parliament originally proposed icons to be used by businesses in order to provide more transparency to data subjects. The Council feared that the proposed icons would probably cause more confusion than clarification. As a compromise, the parties have agreed that the European Commission should be empowered to introduce icons through delegated acts. It remains to be seen whether the Commission will be able to invent icons suitable for consumers.