European regulators took another step forward on the protracted and procedurally involved path to EU-wide data privacy reform earlier this month when the European Council (the organization of the individual member states) agreed upon a "common approach" to data privacy regulation (available here) that would significantly strengthen the data protection framework across the European Union. The agreement of the Council means that the three bodies that need to come to an agreement on data privacy reform - the EU Commission, the European Parliament and the Council - will now move into negotiations on the final text of the General Data Protection Regulation.
The Commission originally proposed the draft regulation in 2012 (see our earlier alert), which was adopted, with some changes, by the European Parliament in 2014. The Council common approach endorses many of the key principles in both drafts adopted by the Commission and Parliament, but with further modifications that impact several key points of the draft General Data Protection Regulation.
Scope of Regulation: The Council's draft endorses the application of the regulation outside the EU to non-EU data controllers that offer goods or services to consumers in the EU, or that collect data and monitor the behavior of individuals in the EU.
Consent: While both the Commission and the Parliament's approach would require companies to obtain explicit consent before processing any personal data, the Council would only require that consent be explicit where sensitive personal data is involved. In other situations, the consent requires that it must be "unambiguous." The council approach also requires that the request for user consent be distinguished on a written form that includes other information or the acceptance of other terms and conditions.
Right to Be Forgotten: The Council's position also endorses the "right to be forgotten," provided for in the European Commission's original proposal, which affords individuals the right to request the removal of links on third-party sites to information about them.
Further Use of Collected Data: The Council's common approach clarifies the circumstances under which data processors can process and use personal data for a purpose other than that for which the data was initially collected, including where the new purpose is "compatible" with the initial one.
Breach Notification: Under the breach notification provisions as originally proposed, all data processors would be required to notify national Data Protection Authorities within 24 hours of the breach being discovered, where feasible, and the affected individuals "without undue delay." The Council's approach limits the obligation to notify a data breach appropriate authority within 72 hours and the affected individuals without undue delay - but only if the breach results in a high risk for individuals (for example, identity theft, financial loss, damage to the individual's reputation or loss of confidentiality for those protected by professional rules of confidentiality).
Fines: Under the proposed Commission draft, companies could be fined up to 1 million Euros or 2 percent of their "global turnover" for serious offenses (processing sensitive data without an individual's consent, for example) and fines of 250,000 Euros or up to 0.5 percent of "global turnover" for less serious offenses (charging a fee when an individual requests his or her data, for example). The European Parliament proposed a maximum of 5 percent for the most serious offenses. The Council's draft endorses maximum fines in line with the European Commission's initial proposal.
One-Stop Shop: While the Council endorses the "one-stop shop" mechanism for transnational cases (EU companies would be subject to enforcement by a single data protection authority located in the country where the company has its main European operations), the draft also gives individuals the ability to consult the data protection authority of their domicile country, which then has to work with the "lead authority." The Council text also enables national authorities to handle cases that relate to "an establishment in its Member State or substantially affects data subjects only in its Member State."
Data Protection Officers and Privacy Assessments: The Council's approach removes the obligation of companies to have a data protection officer, which both the Commission and Parliament versions made mandatory in some cases. The Council's version leaves it to the individual Member States to decide whether and in what circumstances to make having a data protection officer mandatory. The obligation to undertake a privacy impact assessment before a company can process personal data would also be limited to circumstances of high-risk processing.
Regulators hope to resolve differences between the parties' drafts and issue the final version by the end of 2015.