The Council of the European Union has published proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation (“Regulation”). This proposal was led by the current Italian Presidency and the revisions reflect input from representatives of the national governments of the EU Member States.
In the proposed revisions, the Council takes a risk-based approach to compliance. A risk-based approach allows data controllers to exercise greater discretion and flexibility in assessing how to address their compliance responsibilities in the context of their particular businesses. The proposed revisions are premised on the concept that compliance obligations should be proportional to the specific processing activities. This is less prescriptive than the approach in the first draft of the Regulation.
This risk-based approach is reflected throughout Chapter IV of the Regulation. For example:
- The requirements of privacy by design and by default (in Article 23) has been made more adaptable to the context of the data controller’s business, by taking into account the nature, scope, context and purposes of the data controller’s processing activities, as well as the likelihood and magnitude of the risks to the rights and freedoms of individuals.
- Data controllers established outside of the EU do not need to appoint a representative in the EU for processing activities that are “occasional” and “unlikely to result in a risk” to the rights and freedoms of individuals (Recital 63, Article 25).
- The level of security measures that are considered “appropriate” (in Article 30) is determined by analyzing a broad range of factors, including the available technology, the cost of implementation, the nature, scope, context and purpose of the data controller’s processing activities and the likelihood and magnitude of the risks involved.
- Data protection impact assessments (under Article 33) are required only for processing activities that likely involve “high” risk to the rights and freedoms of individuals, such as discrimination, identity theft, fraud or financial loss.
- The requirement to consult with data protection authorities prior to commencing certain processing activities (Article 34) is limited to processing that “would results in a high” degree of risk “in the absence of measures to be taken by the controller to mitigate the risk.”
- The obligation to report data breaches (in Articles 31 and 32) extends only to those breaches that are “likely to result in a high risk for the rights and freedoms of individuals.” If the compromised data is encrypted or otherwise protected so that it remains unintelligible, the data controller is not required to report the breach.
- The appointment of Data Protection Officers (under Article 35) is voluntary, unless the national law of the relevant Member State provides otherwise.
The Council’s proposals are limited to Chapter IV and do not address substantive issues in other chapters of the Regulation. The prevailing principle in the process of revising the Regulation is that “nothing is agreed until everything is agreed.” Therefore, it is possible that the Council of the European Union will further revise Chapter IV of the Regulation.