Where do we come from ?
In 2012, the European Commission adopted an ambitious proposal for an EU General Data Protection Regulation (“GDPR”). The European Commission’s aim is to amend and to further harmonise existing EU rules on the protection of personal data (and Directive 95/46/EC in particular) in order to adapt these to the reality of a single digital market in the EU. The European Parliament issued its position in 2014 sharpening up the European Commission’s proposal on several points. The most difficult discussions took place at the level of the Council regrouping all the EU Member States, having now reached a general agreement on the text.
15 June 2015: Common approach of the EU Member States
On 15 June 2015, the Council (in other words: the EU Member States) adopted a common approach. The latter, in substance, upholds and clarifies the previous GDPR proposals, but includes substantial modifications on some points in comparison to the versions of the European Commission and the European Parliament. The Council has taken the following common position on several key points of the GDPR proposal:
Consent: if consent is the legitimate cause for the processing, the Council’s common approach requires that it must be “unambiguous” but consent must not be “explicit” as proposed by the European Commission and the European Parliament. The common approach has abolished the common threshold of 13 years for consent given by children.
The Council’s common approach has further clarified the requirement that the request for consent must be distinguished where consent is to be given in the context of a written declaration which also concerns other matters. This will have a significant impact on several existing general terms and conditions, where adherence to a privacy clause is sought together with the acceptance of other conditions.
Further processing for “compatible” purposes: the Council’s common approach clarifies the framework for a further processing of personal data for a purpose other than the purpose for which the personal data have been initially collected, but where the purpose is compatible with the initial one.
Profiling: the Council’s common approach has introduced some substantial exceptions to the prohibition on adopting decisions evaluating personal aspects relating to the data subject, which are based solely on automated processing.
Data protection by design: the Council’s common approach has limited the obligation to implement technical measures guaranteeing privacy by design.
Notification of breach: the Council’s common approach limits the obligation to notify a data breach to the competent authority (within 72 hours instead of the period of 24 hours that was previously proposed) and the data subject (without undue delay) only if the breach results in a high risk for individuals (such as discrimination, identity theft, fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage).
Privacy Impact Assessment: the obligation to undertake a privacy impact assessment before the processing of personal data is limited to high risk processing.
Data Protection Officer: the proposals of the European Commission and the European Parliament obliged some organisations and undertakings to have a data protection officer. Under the Council’s common approach, no organisation or undertaking is required to have such an officer.
One-stop shop: the Council text intends to provide for a one-stop shop both for companies and for data subjects noting that the lead authority, that is - the national data protection authority of the main or single establishment of the controller or the processor - shall be the "sole interlocutor for [companies] for their transnational processing". Data subjects will equally have the possibility to consult the data protection authority of their domicile which then has to liaise with the lead authority. The clear line is, however, somewhat blurred as the compromise text equally enables national authorities to handle cases that relate only to "an establishment in its Member State or substantially affects data subjects only in its Member State".
Administrative fines: the GDPR introduces the possibility for all national data protection authorities to impose administrative fines. The Council’s common approach brings the maximum fines in line with the European Commission’s initial proposal again, i.e., in the case of an undertaking, 2% of its worldwide turnover (for the most important violations), whereas the European Parliament proposed a maximum of 5%.
Reduction of the European Commission’s regulatory powers: the Council’s common approach has at several places in the draft GDPR limited the powers of the European Commission to regulate via implementing acts. On the other hand, the EU Member States have regained some room to regulate, e.g., they may introduce more specific provisions to adapt the provisions of the GDPR for the processing of personal data for the purposes of compliance with a legal obligation or the performance of a task carried out in the public interest.
What’s next ?
There is no doubt that the common approach between EU Member States, which was the most difficult hurdle to take in the legislative process, paves the way for the adoption of a final text.
The Luxembourg Minister of Justice Felix Braz has formally stated that: "This reform is a package and we have the firm intention to conclude by the end of this year", which would mean that the final text of the GDPR would still be adopted under the current Luxembourg presidency.
In order to reach such agreement on the final text, so-called informal “trilogue” discussions between the Council, the European Parliament and the European Commission will take place with a first round being planned next week already on 24 June 2015 and a further session on 14 July 2015 (click here for the further provisional trilogue roadmap).