The legislative process in respect of the proposed General Data Protection Regulation (the “Regulation”) is progressing with the Council of the European Union (the “Council”) releasing the latest version of the draft Regulation on 19 December 2014.
Divergence continues to exist between the Council and the European Commission (the “Commission”) and between Member States on a number of issues. An important example of such is in the area of data minimisation. Article 5(c) in the Commission’s text would require personal data to be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed”. In this regard the Council has proposed an amendment that deletes “limited to the minimum necessary” and replaces it with “not excessive”, which would appear to offer organisations a considerably more pragmatic approach to their obligations should it survive.
Further, in the Commission’s proposals, all public bodies, businesses with more than 250 permanent staff, and organisations with “core activities” that “consist of processing operations which … require regular and systematic monitoring of data subjects” would be required to appoint a Data Protection Officer (“DPO”). Under the Council’s plans, no organisation would be under an obligation to appoint a DPO unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and goes on to list conditions that organisations electing to appoint a DPO would have to conform to.
In total the current draft Regulation shows over 30 reservations have been entered by the Commission and over 500 reservations from Member States and this underlines the difficulty in providing a reliable time frame for reaching political consensus on the Regulation at this point.