The Irish Presidency of the Council of the European Union has released its draft compromise text (the compromise) on the European Commission’s draft proposed General Data Protection Regulation (the Regulation). This text was released ahead of a meeting of the European Justice Minister on 6 June 2013 as a basis for debate. The compromise position which is proposed narrows the scope of the draft Regulation and moves away from a detailed and prescriptive approach, towards a more risk-based framework. It has been proposed following some significant divergence between the adopted opinions of the parliamentary committees of the European Parliament and the draft report of the lead committee (the Civil Liberties, Justice and Home Affairs Committee (LIBE)).
One key issue that the compromise document highlights at the outset is that eight Member States still do not appear to support the European Commission’s choice of a regulation as the appropriate legislative instrument, given its direct effect nature. Preference would be for the existing Directive 95/46/EC to be repealed and then replaced by another directive, which would require specific implementation in each individual Member State, thus allowing for some level of flexibility on such individual implementation.
Changes to key definitions
An important change is the additional category of “pseudonymised” data being proposed at Article 4(2a). This is personal data which is processed in such a way that the data cannot be attributed to a specific data subject without the use of additional information. This additional information must also be kept separately and subject to technical control measures to ensure that it remains non-attributable.
This definition characterises pseudonymised data as a sub-category of personal data, rather than of anonymous data or as a third and therefore different type of data. This could help to argue that encrypted data constitute pseudonymised data; a view that has often been rejected by regulators.
This new definition of “pseudonymised” data could also potentially assist UK data controllers in particular, as the Data Protection Act 1998 extends the concept of personal data not only to data which can identify the data subject, but also other data in possession of, or likely to come into the possession of the data controller. Thus, the inclusion in the proposal of “as long as such information is kept separately” allows data controllers to hold other identifying information provided it is segregated.
Some of the additional key changes proposed in the compromise text include:
Changes to Extra Territorial Application
The proposal seeks to provide clarity on the extent of the draft Regulation’s extra territorial application to data controllers outside the EU. Recital 20 of the compromise text states that mere accessibility of a controller’s web site from within the EU does not constitute the offering of goods and services under Article 2(a), and importantly, whether the controller appears to “envisage” doing business with the EU data subjects is a key factor. The proposal also removes those data controllers who “occasionally” offer goods or services to EU data subjects from the draft Regulation, aligning with the proposal’s aim of creating a risk-based approach to regulation in this area.
One of the main aims stated in the proposal is the risk-based approach to regulation, and in this regard the proposal appears to be more commercial /business-focused and pragmatic. An important addition is an additional recital clarifying the right to data protection as a qualified right. Throughout the proposal, the principle of proportionality is highlighted, as well as the importance of other competing fundamental rights, including the freedom to conduct a business.
The compromise incentivises data controllers to process pseudonymised data or anonymous data instead of personal data (as is current practice and policy under existing legislation), but the text goes further in providing comfort to data controllers in reminding them that they can rely on legitimate interests basis in order to anonymise or pseudonymise personal data when processing.
Data controllers can anonymise/pseudonymise personal data before processing for statistical or analytical purposes, and this would prove highly useful to controllers in data-heavy sectors, such as IT and consumer retail.
Consent and Lawful Processing
The draft Regulation provides that valid consent must be “explicit”, whereas in the proposal text consent must be “unambiguous”, except in the case of processing personal data. This reverts to the current position under the Directive, and reflects the practical difficulty of achieving explicit consent in every case.
The draft Regulation also imposes the requirement for separate and distinguishable written consents for different processing purposes (Article 7(2)). However, under the compromise text, only the requests for consent for separate processing purposes must be distinguishable and not the consents themselves. Therefore, data controllers could obtain a single written consent to multiple processing activities, if they provide clear and distinguishable notice of each different processing activity to be undertaken.
Additionally, the legitimate interest basis for lawful processing (Article 7(f) of the existing Directive) is explicitly extended to include fraud prevention, anonymising or pseudonymising data and direct marketing purposes. The extension to include fraud prevention will be welcomed by data controllers in the financial and retail sectors. However, the inclusion of direct marketing purposes may not be a positive in continental Europe, although it is standard practice currently here in the UK.
In the compromise text, data controllers are not required to provide fair processing notices where the data are collected from publicly available sources. Compared with the draft Regulation, this is much more beneficial for controllers who process large amounts of publicly available data, such as advertisers and recruiters.
The compromise significantly narrows the scope of the profiling restrictions that were introduced under the draft Regulation by changing the prohibition to apply to decisions rather than measures. This reflects the restrictions currently imposed under Article 15 of the Directive and therefore only apply where the decision would produce legal effects that severely impact the data subject. This will be a welcome amendment for data controllers.
Security breach notification
A big positive for data controllers and an expected amendment from the compromise text is that the timeframe for reporting personal data breaches may be extended from 24 to 72 hours. And only significant breaches which may result in severe material or moral harm need to be notified to the competent authority. This greatly differs from the draft Regulation, which requires all breaches to be notified and does not specify any thresholds. In line with these amendments, the compromise states that only severe breaches need to be notified to affected data subjects.
Positives for data controllers?
As previously stated the compromise text provides a more measured approach to regulation than the draft Regulation. In particular, as a positive for data controllers, the compromise appears to reflect that the most challenging of the obligations to meet in practice are likely to be re-cast in more pragmatic and realistic terms.
However, the visible differences in approach between the various EU legislative actors will make compromise challenging, and casts doubts over when the draft Regulation will actually become law.