As the European Commission (the “Commission”) continues its consultations on the draft General Data Protection Regulation (the “Regulation”) intended to modernise the EU’s existing data protection rules and principles, it is receiving ongoing criticism, not least from UK bodies. We consider the recent issues from an EU and a UK perspective.
The Commission has been in consultation with the data protection authorities of the EU’s Member States, who are grappling with how to strike the right balance between granting sufficient rights to individuals without overburdening businesses. It is widely acknowledged that there is still a significant amount of work to be done before the Regulation is finalised, and that the existing target date for reaching political agreement on the Regulation before the end of 2014 is ambitious.
Viviane Reding, Vice President of the Commission, and the Commissioner currently responsible for the Regulation and its revision, recently spoke at a Justice Council Press Conference in Luxembourg to encourage swift political agreement. Clearly conscious of the legacy she will be leaving, Ms Reding is keen to find solutions to the “concrete issues” currently being raised in order to progress the draft Regulation as far as possible by the end of her term as Vice President: “We must act with the right firmness of touch, tailoring the rules we introduce to the needs of Europe in the 21st century. We do not want rules that place an excessive burden on business – quite the contrary indeed. Nor should our concern with privacy blind us to the need to respect other rights”.
At the Press Conference, Ms Reding specifically addressed Member States’ concerns in three main areas
Administrative burden for companies
A key concern for Member States is the significant administrative burden that the draft Regulation imposes on companies. It is highly questionable whether the benefits of the new Regulation will actually result in companies achieving the 2.3bn Euros saving per year that has been suggested. However, Ms Reding has indicated that there will be exemptions that will apply to small and medium enterprises (“SMEs”) to reduce the administrative burden relating to their data protection obligations. She also stated that she is looking at widening the SME exemption to other areas to allow increased flexibility, meaning that only companies controlling/processing personal data on a large scale will be subject to the full remit of administrative and audit requirements in order to comply with the Regulation. It will be interesting to see the developments in this area in the next draft of the Regulation.
Delegated and implementing acts
The Regulation aims to harmonise data protection regulation across the EU, necessarily meaning that each Member States’ ability to implement further data protection related local law must be limited to a certain extent to maintain an EU-wide standard. However, the Article 29 Working Party, the representative body for the data protection authorities from each of the Member States, has voiced concern relating to the extent of the Regulation’s reliance on delegated and implemented acts which allow the adoption of more specific rules, potentially resulting in many future amendments which are subject to less public scrutiny and may result in new provisions being too restrictive and/or implemented poorly. The number of delegated and implanting acts provided for in the current draft of the Regulation calls into question the extent to which the new regime will succeed in harmonising data protection laws across the EU. Ms Reding maintains that these acts will allow the Commission to remain “empowered” to amend the Regulation to ensure its future technological relevance. She stated that the delegated acts do not give a ‘blank cheque’ to the Commission but that there will be clear criteria for reviewing each delegated act, including the need to (1) avoid fragmentation, (2) supplement rather than amend the Regulation and (3) maintain the technologically neutral character of the law.
Flexibility for the public sector
There has been some call for increased flexibility in the application of the provisions of the Regulation to the public sector. However, Member States have raised concerns about suggestions to apply different rules to the public and private sectors. There now appears to be a consensus that a consistent data protection regime applicable across both the public and private sectors is necessary but with certain exemptions. The data protection regulators have identified particular circumstances which will require the rules to be adapted for personal data that is held by the public sector. Ms Reding has indicated that we can expect amendments to be made to the Regulation in this respect: “I am prepared to introduce further flexibility in the legislation, provided it does not run against the objectives of achieving a more harmonised legal environment… But one thing is clear: there can be no general exemption for the public sector.”
A UK perspective
At the 11th Annual Data Protection Conference, the UK Information Commissioner, Christopher Graham, commented that although he expects significant amendments to be made to the Regulation as it undergoes further consultation, there is likely to be little change to the provisions in relation to monetary fines. Mr Graham stated that data protection authorities are determined to ensure that companies take data protection seriously, and the authorities will pursue those that are found to have breached data protection rules and fully endorse the proposed powers under the draft Regulation to impose fines of up to 2% of a company’s turnover. He also commented that one of the main issues that he expects to be addressed in the next draft of the Regulation is the right to be forgotten. Although he expects the concept to remain, he envisages that the next draft may include substantial amendments to address the concerns of certain data controllers, particularly those in the financial sector, that in practice it may not be possible permanently to erase personal data due to the nature of data storage and backup.
The Justice Committee of the House of Commons recently published a report on the draft Regulation which, while acknowledging the benefits that the changes in the law will bring, heavily criticised the proposals for not allowing sufficient discretion or flexibility for companies. Sir Alan Beith MP, Chairman of the Justice Committee, said that “the current data protection laws for general and commercial purposes need to be updated, as they do not account for the digital world. However, we agree with the Information Commissioner's assessment that the system set out in the draft Regulation "cannot work" and is "a regime which no-one will pay for". Therefore, we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive”.
It will be very interesting to watch the debate continue as the Commission finalises its consultation on the Regulation, with the intention of reaching agreement by the end of 2014. The next step is a draft report anticipated to be produced next month ahead of a vote by the European Parliament in Spring 2013, with negotiations with the EU Council to take place later in 2013.