While the process to adopt the EU General Data Protection Regulation (GDPR) officially started almost four years ago, there is now a clear intention to finalize the text by the end of 2015. As expected (see ZD-Aktuell 2015, 04131), the trilogue process began this year with the first meeting held on June 24, 2015 and has since progressed significantly with additional negotiations in July, September and October after Luxembourg took over the EU presidency on July 1, 2015. There are, however, still a number of issues for which the EU institutions’ opinions are widely divided. Although these issues are likely to be more difficult to resolve, the common goal to come to finalize the trilogue process by the end of the year end likely will drive the European institutions to take a more reasoned approach during the outstanding negotiations.
Further information on the status of the trilogue negotiations was disclosed in early October 2015 during a meeting of the EU Parliament’s Civil Liberties Committee (LIBE). According to the report given during that meeting, the negotiations on Chapter V (Transfer of personal data to third countries or international organizations) of the GDPR have been completed. Further, it was announced that the negotiations on Chapter II (Principles, including the legal grounds for data processing and the conditions for consent), Chapter III (Rights of the data subject, including the right to be forgotten and the provisions on profiling) and Chapter IV (Obligations affecting data controllers and data processors) are almost finished.
Since then there have been discussions regarding the following points:
- the conditions and form for individuals to give their consent to data processing;
- to what extent the principles of data minimization are defined in the text, and
- the precise language for providing notice to individuals in a transparent way, including the possible use of a standardized set of icons; and
- the obligations for controllers and processors, including the requirement for controllers and processors to appoint a data protection officer with the Council indicating that it would be left up to the EU Member States to establish this requirement.
On October 15 and 28, 2015, the highly controversial Chapters VI (Independent Supervisory Authorities, including the „OneStop Shop” principle) and Chapter VII (Co-operation and consistency) as well as Chapter VIII (Remedies, liability and sanctions) were discussed. There are still some minor issues to be solved in relation to these chapters as they go to the heart of the interests of the three EU institutions and have been subject to numerous suggestions for amendments and submissions by industry. However, it is not very likely that the main concepts agreed upon so far will be revised significantly.
The following topics were scheduled to be discussed during meetings between November 11-12, 2015:
- the objectives and material scope of the GDPR;
- the flexibility of the public sector as suggested in Chapter I (General Provisions); and
- topics related to Chapter IX (Provisions relating to specific data processing situations), including such topics as freedom of expression, public access to official documents, reuse of public sector information, processing of national identification numbers and processing of data in the employment text.
Some of these topics may lead to increased media attention such as for example the processing of personal data in the context of the employment relationship or scientific research areas.
On November 24, 2015, the institutions will then have the opportunity to take stock and to further discuss any open issues from Chapters I – IX. It is expected that these negotiations will not take too much time as there is a clear trend to quickly find compromises for the text with limited exceptions.
It is currently unclear, however, to what extent Chapter V will be revisited during the trilogue process in light of the decision in the Schrems v. Facebook case by the Court of Justice of the European Union of October 6, 2015 (ZD 2015, 549 m. Anm. Spies). In its judgment, the court concluded that
- the national data protection authorities have the power to investigate and suspend international data transfers even where the European Commission has adopted a decision finding that a third country affords an adequate level of data protection, such as Decision 2000/520/EC on the adequacy of the protection provided by the Safe Harbor Privacy Principles; and
- the Safe Harbor Decision is invalid.
Considering the statement by the Article 29 Working Party issued on October 16 and the European Commission’s communication published on November 6, 2015 it is likely that Chapter V will at least be discussed from a general perspective to ensure that stakeholder concerns are addressed.
In its statement on the Safe Harbor decision, the Article 29 Working Party called upon the EU Member States and EU institutions to open discussions with U.S. authorities in order to find political, legal and technical solutions enabling transfers to the U.S. that respect EU citizens’ fundamental rights. According to the Article 29 Working Party, an intergovernmental agreement providing stronger guarantees to EU data subjects and a new Safe Harbor could offer such solutions.
Importantly, the Article 29 Working Party indicated that it will continue analyzing the impact of the ruling on other data transfer mechanisms, such as standard contractual clauses and Binding Corporate Rules. The Article 29 Working Party confirmed that, during this period, businesses can still rely on these data transfer mechanisms to transfer personal data to the U.S.
According to the statement, however, this does not exclude the possibility for national data protection authorities to investigate particular data transfers (e.g., following a complaint) and exercise their powers to protect individuals. Furthermore, if no solution is found with the U.S. authorities by the end of January 2016, the data protection authorities may, depending on the outcome of the Article 29 Working Party’s assessment of the other data transfer mechanisms, decide to take coordinated enforcement actions.
Although it would be premature at this point in time to speculate what the outcome of this assessment may be, there is no doubt that the data protection authorities feel very much confirmed in their independency and powers by the court’s decision. As such, business should take note of this sentiment.
To counter balance these statements by the national data protection authorities, the European Commission stated in its communication that it has intensified its discussion with the U.S. Government and confirmed its objective to finish the discussions for an updated framework for transatlantic transfers of personal data in three months.
According to the European Commission, the updated framework must provide sufficient limitations and safeguards to ensure the continued protection of EU citizens’ personal data, including with respect to access by public authorities for law enforcement and national security purposes.
The European Commission also invited companies to cooperate with the data protection authorities and stated that it will work closely with the Article 29 Working Party to ensure the harmonized application of EU data protection law.
A harmonized application of EU data protection law in this situation is welcomed but considering the differing statements by national data protection authorities in the context of the Schrems case, it remains to be seen if this will be the case in practice. Further, companies may not have much of a choice other than implementing alternative data transfer mechanisms if they want to mitigate risks of non-compliance before the end of January 2016.
According to the draft agenda of the roadmap for additional trilogue meetings, Chapter X (Delegated acts and implementing acts) as well as Chapter XI (Final provisions) will be next to discuss on December 10 and 15, 2015 if the negotiations will still be necessary after the meetings in November.
The intention seems to be to discuss any remaining issues to be able to progress the text of the GDPR as much as possible before Christmas 2015. These topics should be less controversial although it seems likely that the discussions will touch upon very politically sensitive areas such as the powers of the European Commission to delegate and implement acts under GDPR. With the end in sight, however, this could be a very swift negotiation.
Another important date to take note of is December 3, 2015. The Justice and Home Affairs Council that is made up of the justice and home affairs ministers from all EU Member States will meet on this date and would be able to address the progress of the GDPR with an eye of completion by the end of the year. There is currently a high expectation that a final text of the GDPR will be adopted during the last weeks of December before the Netherlands takes over the EU Presidency on January 1, 2016 – or shortly thereafter. In any case, the GDPR would enter into force two years after adoption and would then become directly applicable law in all EU Member States.