On the 9th European Data Protection Day, (28 January 2015) European Vice-President Andrus Ansip and Commissioner Věra Jourová, made a joint statement in which they announced it was "a day to celebrate and raise awareness of the importance of protecting personal data, a fundamental right for everyone in the EU". Here, our data protection experts assess the current state of the draft Data Protection Regulation.
In March last year we reported on the European Parliament's approval of the proposed Data Protection Regulation (the Regulation). The remaining stage was formal approval by the European Council then formal adoption of the Regulation.
Much of the Regulation may still be amended, but the Council released its latest 'partial general approach' on specific issues late December, which provides a snapshot of how the Council's vision for Regulation is developing. To retain some sense of order in our analysis of these developments, our data protection experts once again focus on what the European Commission calls the four main 'pillars'.
Pillar one: One continent one law
The European Commission has from the outset (ie when they first issued their draft in 2012) made it clear that the principle of one Data Protection law to apply across the continent is at the centre of the reforms. The principle remains largely un-changed from the Commission and Parliament proposals.
There have, however, been some clarifications inserted in the latest amendments to the Regulation. Under Article 1 of the Regulation, the Council has inserted a new proviso stating that Member States may "maintain or introduce more specific provisions" to adapt the application of the Regulation for:
- processing personal data for compliance with a legal obligation;
- the performance of a task carried out in the public interest;
- the exercise of official authority vested in the controller; or
- "other specific processing situations" as provided for in the Regulation,
by determining more specific requirements for the processing to ensure lawful and fair processing.
"Other specific processing situations" are set out in Chapter IX and include requiring Members States to provide exemptions or derogations from the obligations of the Regulation to protect the right to freedom of expression and information for journalistic, academic, artistic or literary purposes. Further exemptions include allowing personal data to be disclosed to reconcile with public access to official documents and allowing Member States to provide for specific rules in relation to employees' personal data.
This would appear to water-down the one-size-fits-all proposals of the Regulation. The intention of this amendment is made clear from the description provided in the amended Recital 8 to the Regulation. The Council recognises that, in implementing the current data protection directive (95/46/EC), Member States have put in place sector-specific rules and it believes that these additions will provide the flexibility to uphold these rules.
It remains to be seen whether or not the scope to depart from the Regulation remains compatible with the general goal of 'one continent one law'. Although not an entirely unchecked flow, this does crack open the gates to allow national deviations on data protection compliance. The Regulation has been widely criticised for the potential cost to organisations (both controllers and processors) in implementing the proposed laws. The silver lining (for multi-nationals at least) was that laws across the European Economic Area would be uniform but it appears that this silver lining is diminishing.
We had previously noted the vastly-increased fines that a data protection regulator could impose. As it currently stands, this proposal is unchanged as the Council has not yet adopted its proposal with regard to the level of fines. From the Council's December 2014 draft the implication is that fines will still be a percentage of global annual turnover but the exact percentages remain to be revealed.
The Council's draft does indicate a continued softening of the approach to fines (the European Commission originally having taken a very tough stance) and regulators will have more discretion as to whether to impose a fine or instead to rely on other sanctions. Where a fine is imposed the regulator will be able to take into account a wide range of listed mitigating factors (for example, repeat offences, number of data subjects involved, mitigation action taken) and 'any other aggravating or mitigating factor applicable to the circumstances of the case'.
Pillar two: Compliance of data processors and non-European companies
The proposal for the Regulation to apply to data processors (entities that process personal data on behalf of data controllers) as well as data controllers (those that determine how and why data is processed), remains unchanged in the Council's proposal.
A point particularly for processors to take note of is the growing extent of processor responsibilities under the Regulation; requirements intended to help controllers comply with their data protection obligations but which will add extra layers of cost for their processors (and an extra expense that some processors may want to factor into bids).
Earlier versions of the Regulation had stated that data controllers not established in the EU would be required to comply with EU data protection law where the processing related to offering goods or services to European citizens or where they were monitoring their behaviour.
The Council has taken steps to clarify these provisions. It has added that the offering of goods or services is irrespective of whether a payment is required from the data subject and that the monitoring of behaviour means their behaviour so far as it takes place within the EU. It is likely that at least the former of these amendments is designed to catch social media businesses and the latter to catch ad targeting directed at the EU.
The requirement for a non controller to designate a representative in the EU has also been amended by the Council. It has adopted neither the Commission's proposal for the requirement not to apply to an enterprise with fewer than 250 employees nor the Parliament's proposal that it should not apply to a controller processing personal data in relation to less than 5000 data subjects in a 12-month period.
Instead the Council has taken a 'risk-based' approach stating that the obligation shall not apply to processing which is "occasional and unlikely to result in a risk for the rights and freedoms of individuals, taking into account the nature, context, scope and purposes of the processing".
This approach widens the scope to cover a vast number of data controllers across the world and must surely be redefined more specifically during the legislative process.
In March, we also reported on the principle of data protection by design, which meant that 'producers' of automated systems were included within the Regulation's ambit. Although this principle is not yet fully agreed by the Council, there are notable amendments to the Regulation that signify the dilution of the requirement for producers themselves to build systems that enable customers to comply with their obligations under the Regulation.
Recital 61 and Article 23 both referred to "data protection by design" in the Parliament's version of the Regulation. This has been replaced by a requirement within the Council's amended Recital 61 (there is no mention of it at all in their current formation of Article 23) that 'producers should be encouraged' to take into account the right to data protection when developing and designing relevant products, services and applications.
This means that the requirement has been passed on to the controller who will be required to implement appropriate technical and organisational measures to meet the requirements of the Regulation, having regard to (among other factors) available technology and the cost of implementation.
Pillar three: The rights of data subjects: The right to be forgotten and erasure
The Council's position on the right for EU citizens to require data controllers to delete their personal data and in some cases to automatically delete personal data has not yet been considered and agreed.
We will have to wait to see if the Council will adopt these proposals, but it seems probable that they will in light of the Google Spain case from which it would appear the right to be forgotten is already in existence. Although they are unlikely to disappear entirely, the proposals in the Regulation on the right to be forgotten and erasure may well be clarified, drawing on the Article 29 Working Party's November 2014 Opinion on the scope of this right.
Pillar four: one-stop-shop
Under the current data protection regime in Europe there is no obligation for national regulators to coordinate and cooperate with each other. Where there is a cross-border element to data processing activities, it can be a complicated and uncertain system for organisations and individuals alike.
The Commission cites the flaws of the current system as demonstrated in the Google Street View case. Here the actions of a single company affected individuals in several Member States in the same way, yet it prompted uncoordinated and divergent responses from national data protection authorities.
In December, the Council debated the so-called "one stop shop" mechanism on the basis of the proposal presented by the Presidency of the European Union. The general framework of this proposal was approved by the majority of ministers. We have set out the main points of this proposal below. However, it was agreed that further technical work would be required on the mechanism.
In October and December 2013, the Council had expressed its support for a one-stop-shop with the aim of achieving a single supervisory decision in important transnational cases. The overriding objectives were for it to be fast, ensure consistent application across all Member States, provide legal certainty and reduce administrative burden.
In June 2014, the Council mandated the Presidency to continue work on the mechanism. In particular, it asked for the Presidency to address enhancing "proximity" between individuals and the decision-making data protection authority (DPA) by involving the national DPA in the process and to undertake an investigation into the possibility of providing the European Data Protection Board (EDPB) with the power to adopt binding decisions regarding corrective measures in certain cases.
In its proposal, the Presidency has sought to clarify the categories of cases that DPAs have to address. The current text of the Regulation foresees three types of cases:
1. Local cases
The general principle is that processing situations affecting only one Member State (or the persons within it) should be dealt with by the local DPA and not be covered by the rules of the one-stop-shop. Specifically, a local case is defined as:
- a case concerning the territory of the DPA's Member State (territorial competence);
- a case where the data controller is a public authority or body of that Member State (functional competence); or
- processing by a controller or processor established in the territory of the DPA's Member State or exclusively affecting data subjects in the territory of its Member State (material competence).
The decisions of local DPAs will be challengeable before the courts of the relevant Member State.
2. Cross-border cases and the one-stop-shop
The mechanism relies on enhanced cooperation and coordination between a "lead" DPA and other "concerned" DPAs. The proposal states that the one-stop-shop should only intervene in important cross-border cases. The criteria for these important cross-border cases are:
- processing by a controller or processor established in more than one Member State - in this case the "lead DPA" will be that of the main establishment of the controller or processor; or
- processing by a controller or processor established in only one Member State but which affects substantially or is likely to affect substantially individuals in other or all Member States - in this case "the lead DPA" will be that of the single establishment of the controller or processor.
A key feature of the one-stop-shop mechanism will be the involvement of all concerned DPAs in the decision-making process. Broadly, a DPA is "concerned" in a case if the controller or processor is established in, or the data subjects are present in, the Member State. A controller or processor will be required to indicate to its local DPA where its main establishment is located. The DPA will then inform the EDPB who may keep a public register of this information.
Cooperation and joint-decision making
The lead DPA shall be required to cooperate with other concerned DPAs to reach consensus. The lead DPA will investigate a case and then submit a draft decision on which the concerned DPAs may comment. Either the DPAs jointly agree or a concerned DPA can make a reasoned objection.
The proposal sets out that the jointly agreed decision will be adopted by the DPA best placed to deliver effective protection from the individual's perspective. In effect, this will be the local DPA that will be adopting the decision in all cases where a complainant could be adversely affected by it. This will mean that the individual will be able to have the decision reviewed by their own court.
This proposal is intended to strengthen "proximity" and address concerns raised by the Legal Service of the Council in December 2013 that the system was complicated and would be incompatible with the right to an effective remedy.
3. Dispute resolution in cross-border cases
The current text also introduces a dispute resolution system for cases where DPAs cannot reach agreement in a case concerning an important cross-border situation.
It is foreseen that the appropriate forum for dispute resolution will be the EDPB, which will be composed of all DPAs and with its own legal personality. The EDPB will decide an issue by a two-thirds majority and it will be possible for persons involved in the procedure to have the legality of a decision reviewed either directly by the European Court of Justice (ECJ) and/or indirectly via national courts.
What else?
The previous versions of the Regulation included a mandatory requirement for controllers and processors to designate a data protection officer. This requirement was subject to the number of employees of the entity in the Council version but amended to reflect the amount of personal data it processed in the Parliament's version of the Regulation (this was again designed to catch social media businesses). Although it is subject to certain Member States' reservations and potential future amendment, the current agreed text of the Regulation makes the designation of a data protection officer optional or applicable where it is required by either EU or Member State law.
This is a significant amendment because it reintroduces uncertainty, specifically for Small and medium-sized enterprises (SMEs) (for whom designating a Data Protection Officer (DPO) could be a costly and unnecessary administrative burden), and also reopens the possibility of inconsistent application of data protection rules across Europe.
And finally...
The Council has also fleshed out the provisions of the Regulation that deal with codes of conduct and certification. The EDPB and the Commission, (potentially through additional legislation), will encourage sector-specific associations and other representative bodies to develop codes of conduct to help with the application of the Regulation. Such codes may be then approved by the local DPA and a certification mechanism shall be encouraged to act as a seal of approval for compliance with an approved code. This will enable individuals to recognise where a data controller is handling their data in line with EU rules.
Next steps
The final text of the Regulation, which will form part of the European Data Protection reform package along with the Cyber Security Directive, will need to be agreed by the Council and the European Parliament under the 'ordinary legislative procedure'. There is no time limit for the first reading in the Council and then second readings (and even third readings) in both the Parliament and the Council will ensue before a final text can be adopted.
It is hoped that a final version of the Regulation will be agreed before the end of 2015 - the Juncker Commission along with the the Latvian presidency and the Council have all stressed the importance of achieving a general approach this year - but there may well need to be some degree of flexibility and compromise along the way. This will no doubt affect the final legislative and material outcomes of the Regulation.