On May 31, the Irish Presidency of the Council of the European Union published a counter-proposal to the Commission’s draft-Regulation on protecting personal data. This proposal is being submitted despite the fact that the Parliament has not adopted yet its position at first reading, which is rather unusual under the European parliamentary procedure.
The Council’s proposal begins by asserting in its recitals that the right to the protection of personal data is not an absolute right but that it must be considered in relation to other rights, such as the freedom of conscience and the freedom to conduct a business. The freedom to conduct a business has prompted several proposals drafted by the Irish Presidency, which goal seems to be to rebalance a draft-Regulation considered as overly prescriptive for companies, particularly SMEs.
Restricting the Regulation’s territorial and material scope
The current wording of the draft-Regulation applies to data controllers regardless of their geographic location; provided that they offer products or services to European residents or that they monitor their “behavior”. To limit the extraterritorial scope of this provision, the Council’s proposal restricts its application to monitoring the behavior of European residents actually taking place within the European Union and not to behavior of these residents taking place outside said territory (Article 3.2(b)).
The proposal by the Irish Presidency does not include within the Regulation’s material scope the processing of personal data by a natural person under personal or household activities (recital 15 and Article 2.2(d)). However, the controller or sub-contractor who provides the natural person with these services is subject to the Regulation.
Relaxing the purpose principle
Although the prohibition to reuse data for purposes that are incompatible with those of the initial collection, the proposal by the Irish Presidency introduces five criteria to determine whether or not the intended reuse falls under this prohibition (new Article 6. 3a). The Council’s wording therefore indicates that to “evaluate” the compatibility of the intended processing, it is appropriate in particular to take into consideration: the “link” between the initial purposes and the new purposes, the “context” of the data collection, the “nature” of the personal data, the “possible consequences” of the intended processing and the existence of appropriate safeguards. These criteria offer the data controller greater leeway, and therefore flexibility, to evaluate by himself whether the new purpose is compatible with the initial collection.
In addition, the Council’s proposal introduces a presumption of legitimate interest (recital 39) for the data controller based on three hypotheses: preventing and combatting fraud, anonymizing or pseudonymizing personal data, and purposes of direct marketing. It is worth pointing out that this presumption appears only in the recitals and not in the articles, thereby weakening its normative scope.
Lastly, the Council’s proposal places a lot of focus on pseudonymization, which becomes one of the Regulation’s most important legal mechanisms. First of all, the proposal defines pseudonymization in a rather complex way (new Article 2a). It refers to personal data processed in such a way that this data cannot be associated with an identifiable natural person unless additional information is used, and provided such additional information is stored separately and undergoes technical and organizational measures that guarantee their irreconcilable nature.
The introduction of pseudonymization as a legal category has significant legal consequences. First of all, pseudonymization enables to lower the risk of data processing operations included in the “Privacy by Design” mechanism (Article 23). Secondly, it is considered as an appropriate means of security that the data controller must implement (Article 30). Thirdly, it exempts the data controller from his duty to report a data breach to the data subject (Article 32). Lastly, it is a tool that the professional codes of conduct can use as an argument in order to be certified as compliant with the Regulation (Article 38).
This type of legislative initiative is important because it represents in some way the European reply to the supporters of Big Data, who assert that data anonymization is now impossible given the existing computing power and that the principle of purpose hinders technological progress. In fact, by relaxing the principle of purpose and outlining a legal framework that promotes pseudonymization technologies, the Council’s proposal should make it possible to reconcile the European data protection framework with the emerging phenomenon of Big Data.
Adapting companies’ obligations based on their size and processing risks for freedoms
Article 22 as amended by the Council introduces the principle under which the “obligations” of the data controller must take into consideration the nature, context and purposes of the processing, as well as the risks for the rights and freedoms of the data subject. This principle of proportionality between the risks and the measures that must be taken is set forth in the provision relating to Privacy by design and by default (Article 23) or in the obligations to keep record of the data processing operations (Article 28). In this respect, companies employing less than 250 employees are exempt from the duty to keep record unless the intended processing represents a specific risk for freedoms. Privacy Impact assessments remain mandatory for data controllers when processing may present a specific risk for the rights and freedoms of individuals (Article 33). However, the Data Protection Authorities, who are consulted when the risk is deemed “high”, shall issue a ruling within 6 weeks.
Lastly, appointing a data protection officer is no longer mandatory and has been left to the discretion of Member States (Article 35). The officer’s responsibilities have been cut by half. For example, monitoring processing records, compliance with the Privacy by Design obligations, and the drafting of Privacy Impact assessments have been removed.
A new compliance mechanism that relies on third-party certifiers
One of the proposal’s major innovations is to introduce third-party certifiers in an effort to promote the use of codes of conduct. In fact, Articles 38 and seq. of the Regulation already govern the provisional creation of codes of conduct by professional associations or organizations. The Council’s proposal is innovative in that it requires these codes to be certified by third-party certifiers who are in turn accredited by the relevant Data Protection Authorities, by following the consistency mechanism at the European level (new Articles 38a and 39a). This third-party mechanism has been inspired by the system in effect within APEC regarding CBPR (Cross Border Privacy Rules) and may represent the introduction within the European Union of legal tools designed to make both systems more interoperable.
Finally, out of the 46 implementing acts delegated to the Commission as initially contemplated in the draft Regulation, none remains. The Irish Presidency opted for a more succinct, albeit immediately applicable, Regulation. One alternative would be to transform the draft into a Directive, as wanted by an hard core of eight Member States. The directive would allow each Member State to adopt the implementing provisions more quickly than the European Commission but this could weaken the initial purpose of the reform, which was to further harmonize European regulations.