This IT & Outsourcing e-bulletin contains summaries of the following recent developments in law and regulation in the EU and the UK:  

  1. One small step for Europe; one giant leap for data protection?
  2. Security Update: BIS note on the proposed Network and Information Security Directive
  3. Neutral Territory: Agreement reached on proposed net neutrality regulation
  4. European Commission consultation on purchases of digital content
  5. Wrapping it up: CJEU confirms validity of jurisdiction clauses agreed electronically by “click-wrapping”  

1. One small step for Europe; one giant leap for data protection?

In June 2015, the Council of Ministers of the European Union (the "Council") finally agreed a general approach on the proposed EU General Data Protection Regulation (the "GDPR"), paving the way for negotiations to commence between the European institutions to agree a final version of the new GDPR.


Back in January 2012, the European Commission (the "Commission") published its draft GDPR, signalling the start of the legislative process to agree a new regulatory regime for data protection in Europe. The proposals represented a significant overhaul of the existing regime and, whilst there was commentary at the time suggesting that they would be adopted by the end of 2012, the process has already taken much longer and there is still a way to go.

The first part of the legislative process following the Commission's proposals was for the European Parliament (the "Parliament") to adopt its first reading position. This was achieved on 12 March 2014, after taking into account over 4,000 proposed amendments on the draft text.

The next step in the legislative process was for the Council to review the Parliament's position and adopt its own first reading position. This was finally achieved over a year later on 15 June 2015 meaning that, over three years after its initial publication, the legislative process for the adoption of the GDPR can now enter its next phase and trilogue negotiations between the institutions can begin.

The adoption by the Council of its position marks a key step in the legislative process. However, whilst the process may start to gain a little momentum now, it is clear from the three texts available (the Commission's initial draft, the Parliament's position, and the Council's position) that the institutions remain conceptually far apart on a number of key aspects to the GDPR.

Key areas of difference

The following areas of the GDPR highlight some of the key differences in approach between the European institutions which will need to be negotiated and agreed as part of the trilogue discussions:

  • Consent – One of the major criticisms of the current Data Protection Directive is the varying levels of consent required for different types of data processing. Both the Commission and the Parliament had sought to do away with this complexity in the GDPR by providing for consent to be freely given, specific, informed and explicit in relation to the processing of all types of data. The Council has amended this position by removing the requirement for explicit consent from processing of ordinary personal data, requiring instead “unambiguous” consent. The requirement for explicit consent is however reinstated in relation to the processing of sensitive personal data, meaning that, once again, differing levels of consent would be required for different types of personal data.
  • Data Security Breach Notifications – One of the key new obligations under the GDPR looks likely to be the obligation upon data controllers to report data security breaches to their national regulatory authority. The Council have sought to impose a materiality threshold and restrict this notification requirement to breaches which are likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of data protected by professional secrecy, or any other significant economic or social disadvantage. The Council has also amended the draft text to require any data security breach notification to be made within 72 hours. The Commission's original text proposed a 24 hour deadline, and the Parliament's proposal required notification without undue delay.
  • Data Protection Officer – The Commission’s original draft GDPR required a data controller/data processor to appoint a data protection officer ("DPO") when it employed more than 250 people. The Parliament’s position amended this requirement slightly but still required a DPO to be appointed in a number of circumstances. The Council has amended this requirement so that the appointment of a DPO would only be mandatory if required by EU or Member State law. Otherwise, it would be a voluntary action. Interestingly from an employment law perspective, the Commission and the Parliament also provided job security for the DPO. In their proposed texts, the DPO could only be dismissed if he or she no longer fulfilled the conditions required for the performance of his or her duties. In the Council’s proposed text, an amendment would allow for the DPO to be dismissed where there are serious grounds under the law of the Member State which justify the dismissal of an employee or civil servant.
  • Subject Access Requests – A number of changes are being proposed by all three EU institutions in relation to subject access requests. Currently there is a nominal fee which must be paid together with any subject access request. The GDPR does away with the requirement for a fee unless the request is manifestly excessive, in which case a fee may be charged. The Council has amended this position so that there is no ability to charge a fee but a data controller may refuse to comply with a subject access request where it is manifestly excessive or unfounded. There are also changes to the timeframe for compliance. The Commission suggested a one month timeframe to comply with subject access request, with the potential to extend the timeframe by a further month. The Parliament amended the initial timeframe to 40 calendar days, and the Council has reverted to one month but with the ability to extend by a further two months.
  • One Stop Shop – The idea of a "one stop shop" mechanism for regulating data protection was contained within the Commission's original draft of the GDPR. The Commission wanted to introduce a new framework which would avoid businesses having to engage with every national regulatory authority in each EU country that they process consumers' personal data. It wanted a new system which would allow businesses operating across the EU to answer to just one regulatory authority – in general the one based in the country of its main establishment. Under the Council’s proposals, data protection matters would be regulated differently depending on whether or not the complaint relates to activities in more than one Member State. The Council has proposed a new cooperation mechanism to take place between the "lead" regulatory authority and other concerned regulatory authorities, with disputes between the authorities being referred to a new European Data Protection Board.
  • Sanctions – Whilst all the European institutions seem to agree that the level of fines imposed under the new GDPR should be increased from the current UK maximum of £500,000, there is still a large discrepancy between the institutions as to what that maximum level should be. The original Commission draft of the GDPR proposed maximum fines of up to EUR 1 million or 2% of annual worldwide turnover. The European Parliament then proposed raising this significantly to EUR 100 million or 5% of annual worldwide turnover. The Council's proposals have suggested a return to the figures originally suggested by the Commission.

Next Steps

With the adoption of a general approach by the Council, the three European institutions are now free to enter into a trilogue in order to try and agree a final position on the GDPR. Indeed, the first trilogue session took place on 24 June 2015 and a draft timetable for the remaining trilogue sessions published by the European Parliament envisages the institutions reaching final agreement on the GDPR by the end of 2015. Once adopted, there would then be a two year period before the GDPR was applied (i.e. it would practically come into effect towards the end of 2017).

This timetable may prove to be optimistic given the major issues outlined above which are still to be negotiated and agreed between the parties. However, it cannot be denied that we are now one step closer to a new data protection regime.

To view a copy of the Council's adopted position, please click here

2. Security Update: BIS note on the proposed Network and Information Security Directive

The Bank of England has published a note produced by the UK Department for Business, Innovation and Skills on the progress of the proposed EU Directive on Network and Information Security (the "Cyber Security Directive").

In February 2013, the European Commission published its proposed Cyber Security Directive with the aim to put measures in place in order to ensure a high level of network and information security across the EU. However, almost two and a half years later, the Directive is still being negotiated between the various EU institutions.

One key area of debate still being discussed is the scope of the Cyber Security Directive. The European Commission believes that digital services such as search engines and social media websites should be included within the scope of the Cyber Security Directive, whereas the European Parliament would like to see them excluded, and the Council remains undecided. Any organisations covered by the Cyber Security Directive would be required to notify local government agencies in the event of a cyber incident that had a significant impact on the security of their core services.

According to the published note, it is possible that negotiations on the Cyber Security Directive will not be concluded until autumn. Member States would then have two and a half years to implement the requirements into national law.

To view a copy of the note, please click here. 

3. Neutral Territory: Agreement reached on proposed net neutrality regulation

On 30 June 2015, the European Commission announced that an agreement had been reached on a proposed regulation in relation to the open internet (net neutrality). The new regulation proposes to introduce EU-wide open internet rules under which providers must treat all traffic equally.

Under the proposed regulation, which will be the first regulation to enshrine the principle of net neutrality into EU law, internet users will have access to online content and services without any discrimination or interference. Blocking or slowing down by internet providers will not be allowed although the net neutrality principle will be subject to clear public-interest exceptions.

If any traffic management measures are needed, they will have to be transparent, non-discriminatory and proportionate.

ISPs will still be able to offer specialised services of higher quality as long as they do not affect the quality of the open internet. Member States will be required to set penalties applicable to infringement of net neutrality provisions.

The text of the draft regulation now has to be formally approved by the European Parliament and the Council and the net neutrality rules will come into effect across all Member States as soon as the text officially applies on 30 April 2016.

For further information, please click here

4. European Commission consultation on purchases of digital content

The European Commission has published a consultation on the rules for online purchases of digital content and tangible goods. The aim of the consultation is to collect views on the possible ways going forward of removing contract law obstacles related to online purchases of digital content and tangible goods.

The Commission notes that cross-border e-commerce within the EU is far from reaching its full potential, with only 18% of consumers in 2014 making purchases online from another EU country, and only 12% of retailers selling online to consumers in other EU countries.

The EU's Digital Single Market Strategy (adopted on 6 May 2015, for further details please see our previous IT & Outsourcing Bulletin available here) aims to break down barriers hindering cross-border e-commerce, and the differing contract rules that apply in cross border sales within the EU has been identified as one of the main issues.

All citizens and organisations are invited to contribute to the consultation, which runs until 3 September 2015.

To view a copy of the consultation, please click here

5. Wrapping it up: CJEU confirms validity of jurisdiction clauses agreed electronically by “click-wrapping”

In a recent decision, the Court of Justice of the EU ("CJEU") has clarified the requirement under the Brussels Regulation for a jurisdiction agreement to be "in writing" or "evidenced in writing" in the context of a contract concluded online.

In the case of El Majdoub v CarsOnTheWeb.Deutschland GmbH (Case C 322/14), the seller's general terms and conditions containing the relevant jurisdiction clause had been incorporated into the contract by way of “click-wrapping”. This means that the webpage containing the terms and conditions does not open automatically upon registration or in the process leading to the individual transaction. Instead, to view the terms and conditions, the contracting party has to click on an additional link.

The CJEU held that this was a valid jurisdiction clause, as the click-wrapping method of accepting the terms and conditions was equivalent to writing for the purposes of the Brussels Regulation. In particular, the CJEU held that a valid agreement on jurisdiction involving communication by electronic means only requires there to be the mere possibility of obtaining a durable record of the agreement of the parties. It held that this is the case “regardless of whether the text of the general terms and conditions has actually been durably recorded by the purchaser before or after he clicks the box indicating that he accepts those conditions”.

Given that a few national courts have previously taken a different position, businesses will certainly welcome this decision as many use the click-wrapping method to incorporate terms and conditions in contracts concluded online.