As 2014 draws to a close, there is still time (but not much time) for the European Commission to meet its target of introducing a new EC data protection Regulation (Regulation) by the end of the year. It seems far more likely, however, that we are looking at 2015 although, according to some reports, even that looks optimistic. Nearly three years on from the publication of the first draft proposals, deadlines have come and gone and we are still waiting to see what the final legislation will look like.
After a flurry of activity in the first half of the year, culminating in the European Parliament adopting an amended version of the Regulation, progress seems to have stalled in the Council. So what exactly has been going on this year?
The European Parliament draft
The European Parliament published its proposals for amendments to the original draft Regulation towards the end of 2013. In January, the UK's Information Commissioner (ICO) published an analysis of the new draft.
The ICO commented favourably on:
- the consistency in approach;
- the high standard of consent;
- the risk-based approach e.g. basing the threshold on the number of individuals whose data is processed by an organisation rather than the number of people it employs and requiring notification of data breach "without undue delay" rather than within 24 hours;
- the concept of the 'one stop shop' which, says the ICO, the European Parliament has improved on to "strike the right balance in the relationship between 'lead' and 'local' data protection authorities".
The ICO highlighted the following issues as needing further consideration:
- the introduction of the concept of pseudonymous data which the ICO thinks will muddy the distinction between personal and non-personal data;
- the recommendation that privacy notices be longer and more detailed in order to ensure transparency – the ICO says the Regulation needs to be flexible in order to encourage innovative and effective ways of explaining things to individuals;
- the prescriptive nature of the setting out of what organisations need to do to comply with the law;
- the introduction of standardised information policies which the ICO says are less likely to be effective than those developed through codes of practice and other 'soft-law' mechanisms; and
- the high level of prescription and tightening up of rules on the export of personal data to countries outside the EEA.
The EU Parliament adopted the amended version of Regulation in March, just before the elections in May but it remains possible that the new Parliament could have the opportunity to make further changes. If the Council and Parliament fail to agree on a compromise text, the draft Bill will be sent back to the Parliament for a second reading, at which point, the new Parliament may take a very different view to the previous one and we could go back to the drawing board.
The Council draft
In March, the Presidency of the Council of the European Union published a progress report on the Regulation.
The report highlighted four areas for revision and stated that discussions were ongoing in relation to the principle of the 'one stop shop', international transfers and territorial scope although the latter had been more or less agreed on.
The areas on which further re-drafts were proposed were:
- pseudonymisation – the concept should be introduced into the Regulation;
- right to data portability – the Presidency recommended removing the public sector from the scope of the right and refining the right so as to reduce the potential burden on data controllers. The compromise text is intended to ensure the protection of other concerned individuals and take into account the need for technological neutrality;
- obligations on controllers and processors – clarifying the relationship between controllers and processors, including through introducing optional standardised contracts between the two; and
- automated decision making based on profiling – automated decision making should be allowed, if necessary, for entering into and performance of a contract on the basis of explicit consent of the data subject or when explicitly authorised by Union or Member State law, including for fraud, tax evasion prevention and monitoring purposes. However, profiling and automated decision-making based on special categories of personal data should only be allowed under specific conditions.
At a subsequent meeting of EU Justice Ministers, there was reportedly widespread support for the law to apply to any company located outside the EU which targets EU citizens although some countries commented that this would be difficult to enforce, particularly where national laws conflicted. The subject of transfers outside Europe was another hot topic with some Member States pushing for further tightening of the provisions while others, including the UK's Chris Grayling, argued that overly prescriptive rules would be damaging to services such as cloud computing. In addition, the issue of how to handle pseudonymisation was discussed. There appeared to be an acceptance by Ministers that the concept of pseudonymised data should be included in the Regulation. Where the Council seemed to depart from the views of the EU Parliament was over the extent to which reduced compliance obligations should apply to the processing of this data.
In April, the Greek Presidency of the European Union reportedly proposed a compromise on one of the most contentious areas of the Regulation. In the original draft, the concept of a single regulator for each data controller was proposed, even where the data controller operated in multiple European jurisdictions. While business welcomed the concept, there has been pushback from regulators who argue that data subjects would find it difficult to take action in relation to data breaches where a lead regulator was located outside their own country, and that this would effectively muzzle local regulators.
The proposed compromise was for the so-called 'one stop shop' mechanism to apply only where the same issue affects citizens across more than one Member State. National regulators would deal with data protection breaches affecting citizens in their own jurisdiction or involving a public authority in their jurisdiction but a lead authority would be appointed in situations involving more than one jurisdiction. The European Data Protection Supervisor would issue guidance on how the lead authority would be decided on.
Later in April, the Greek Presidency of the European Union had already reportedly abandoned attempts to agree the new draft data protection Regulation by June. Instead, the focus was on a "partial general approach" to reach consensus on a few key provisions including the data portability clause and the 'one stop shop'. Even this reduced scope was described as "a Herculean task" by Greek Official Lilian Mitrou while addressing a conference in Brussels.
At the meeting of the Council of Ministers in June, the negotiations continued. The Presidency of the Council of Ministers set out new draft plans aimed at resolving the concerns about the 'one stop shop' mechanism proposals. The proposals, developed from those made in April, aimed at giving national data protection authorities (DPAs) more power than currently envisaged under the draft, where they are not the lead authority in relation to an organisation, and to prevent forum shopping. In particular, the Presidency suggested that the 'one stop shop' mechanism be disregarded where the subject matter of the processing concerns processing carried out in a single Member State and involving only data subjects in that state. In that case, it would be the local DPA which would have jurisdiction. Local DPAs would also get a say in cases being handled by a lead authority but involving consumers in their jurisdiction and a co-operation mechanism would be introduced which would give local DPAs input into the decision making process of a lead authority. Individuals would also be able to go to their local authority with any issues and empower the local DPA to deal with the issue where no other Member States are involved. Local DPAs would be able to object to draft decisions issued by local authorities. Cases would then be referred to the European Data Protection Board for final determination.
Whether these proposals are welcomed by Justice Ministers remains to be seen. The relative simplicity of the original proposals appears to have been eroded and, if accepted, the new proposal is likely to mean that businesses operating in multiple Member States will still have to deal with being regulated in each of them.
In relation to transfers outside the EU, the Council of Ministers reached a compromise wording which would give businesses the options of agreeing binding corporate rules, using standard approved contract terms, or obtaining authorisation from DPAs. Additionally, data transfers would be permitted for reasons of public interest and other exceptions, including where strictly necessary for legitimate business interests, provided they are not overridden by the interests or rights and freedoms of the data subject.
There is no final agreement on either issue at the moment but the Council has reportedly agreed that companies based outside the European Union will be required to comply with European data protection law when processing the personal data of European citizens.
The controversial ruling by the Court of Justice of the European Union in the Google Spain case (see our article, "Google Spain and the 'right to be forgotten'") has thrown the issue of a 'right to be forgotten' back into the limelight with the UK's House of Lords Committee among those calling for the new Regulation to overturn the effect of the ruling and ensure search engines are not caught as data controllers.
Patience is starting to wear thin in some quarters, it seems, with concern growing in the wake of the surveillance scandal about the export of European personal data to third parties (see our article, 'The mass surveillance scandal fallout'). In September, in a joint declaration adopted at an inter-parliamentary meeting, sixteen EU Member States including the UK, France and Germany, called on European legislators to adopt the new EU data protection Regulation "by 2015". Germany also called for the right to 'gold plate' any new Regulation and a report published by the French Council of State, called for the "right to the international policing of international privacy law" in order to guarantee the primacy of European law over third party contractual law.
So what now?
At the time of writing, Member State Ministers continue to appear worlds apart on a number of fundamental issues. Once they have agreed their draft, trialogues will begin between the Commission, the Parliament and the Council to reach a compromise between the three drafts. The question is whether the political impetus to see the Regulation passed will be enough overcome the areas of disagreement and, whether that will mean the final version gets significantly watered down from the original proposals. It's still a case of 'wait and see'!