On 5 and 6 June, the Council of the European Union, formed of the relevant minsters from each member state (the “Council”), came to a consensus on: (i) the rules governing international data transfers; and (ii) the territorial scope of the draft General Data Protection Regulation (the “Regulation”). The meeting follows the European Parliament’s formal adoption of a compromise text of the Regulation in March this year. The Regulation, discussed in our previous Law Now, is intended to form the framework for an updated and more comprehensive Data Protection regime across the European Union.
The Council reached agreement on its approach to certain parts of the Regulation including the provisions concerning the transfer of personal data to non-EU jurisdictions. The Council agreed that lawful transfers to non-EU jurisdictions could be achieved by three methods:
- first, if the EU Commission (the “Commission”) considers that the jurisdiction in question provides adequate protection to such data;
- secondly, in the absence of an adequacy decision, through the use of appropriate safeguards such as binding corporate rules, standard data protection clauses adopted by the Commission, an approved code of conduct or an approved certification mechanism; and
- thirdly, in specific situations where the transfer is necessitated (for instance on public interest grounds).
Any transfers to third countries not covered by these standards will require the authorisation of the competent data protection authority.
The Council further agreed that the Regulation will apply to non-European companies if they do business in EU territory. This approach is consistent with the recent decision of the Court of Justice of the European Union in which the processing of data through the search engine facilities provided by Google Inc., a US entity, was seen to fall under the scope of the current EU data protection regime, contained within Directive 95/46/EC. The court held that the processing was carried out ‘in the context of the activities’ of the member of the Google group located in an EU member state.
The Council also considered the ‘one-stop-shop’ principle which would allow multi-national companies to deal solely with the data protection authority of the member state in which the company is established. The principle has been extensively debated in previous sessions as some member states are concerned that the principle puts the interests of the data controllers above those of consumers, who may be denied effective access to justice as a result of the new rules. Various proposals were considered to address concerns regarding the proximity of the data controller to the data subject and the role of local data protection authorities. However, the Council did not reach an agreement on this point.
As no further compromises have yet been reached by the Council on other parts of the Regulation, negotiations are expected to continue into 2015. Under the current timetable, the Regulation is unlikely to come into force until 2017. The Council is next due to meet on 10 October to further discuss progress towards formal adoption of the Regulation.
Given that the current draft Regulation allows the relevant data protection authority to impose sanctions of up to 5% of global annual turnover for non-compliance with the obligations under the Regulation, any entity doing business in the European Union should take note of the expanded scope of the provisions. While a final version of the Regulation is still a way off, there is little doubt that the reporting and security obligations it will eventually impose will require businesses, both based in the EU and outside, to develop their internal compliance mechanisms to respond to the changes in order to avoid facing hefty penalties.