So time has gone on a little bit and we are now 3 years down the line from when the European Commission released it’s proposed revised Data Protection framework on January 25th 2012. Some may say that progress has been slow but is that truly the case? We appear to have come a long way from a proposal that was written off as a “non-starter” to a piece of legislation that has seen more political discussion and campaigning than any other piece of legislation in the EU’s history.
So where are we then? In my last post (and apologies that it has been a while since my last post) we went through some of the key agreed texts from the European Parliament and outlined what the next steps in the Regulation’s journey might be. On the whole the ‘official’ actions coming out of the EU have been quiet over the last 10 months or so mainly due to the changes in Parliament Members and the change to the European Presidency.
On December 4-5 2014 at the Justice and Home Affairs Council meeting several of the key points around the Regulation were discussed. While official statements were limited there were some key areas that were discussed and some ‘formal’ stances announced.
‘One Stop Shop’: On the whole the Council and Parliament seem in favour of this idea however there is still intense discussion around how this will be implemented in practice. What is certain however is that both the Parliament and Council won’t allow for the Commission to have the final say on EU wide Data Protection issues as proposed in the Commission’s text. Very much a “we will have anything except that” view point. All institutions however have agreed that DP Authorities will and indeed do need more resources and technical capability.
Right to erasure, data access, and correction: The contested so-called “right to be forgotten” has been limited by the Parliament so that only those publishing personal data in breach of data protection law are obliged to ensure every copy is deleted. The regulation currently seems to call for a meaningful balance between freedom of expression and freedom of information on the one hand, and the protection of personal data on the other. While there is an understanding in Parliament that the “right to be de-listed” as spelt out in the Google Spain judgement of the European Court of Justice in May 2014 is already contained in the text, the Council is still discussing the need to add specific wording.
Informed consent: Data Subjects essentially must be informed about what happens with their data, and they must (in principle at least) consciously agree to the data processing that is outlined (or indeed reject it without suffering harm by doing so). While the Parliament text insists on “explicit” consent as proposed by the Commission, the Council’s current version of the draft law proposes a more vague “unambiguous” consent, which seems to allow for interpretation on obtaining consent.
Legitimate Interest: The Parliament has narrowed down the “legitimate interest” of the data controller (which would allow for data collection and processing without consent) to what can reasonably be expected by the data subjects affected. The Council however are currently discussing allowing a change of the purpose of the data processing based on “legitimate interest” of the data controller. There are calls from supporters of the original text for this notion to be dropped as they state it weakens the individual’s rights under the regulation however such a hardening of legitimate interests does has massive impacts for industries that currently use legitimate interests under the current EU Directive. For example, the credit referencing industry in the UK.
Data Transfers: The Parliament continues to insist that companies are not allowed to hand over data from Europe directly to third countries´ authorities unless it is under a mutual legal assistance treaty or similar instrument based on European law. The original text contained wording to enhance this protection however this was removed after a period of lobbying by the US government. It made it back in to the Parliament’s text however doesn’t seem to be accepted for inclusion in the Council’s draft. After the Snowden revelations however there appears to be agreement that something is needed to protect against unlawful transfers of personal data.
Sanctions: The Commission originally proposed sanctions of up to two per cent of global annual turnover, and the Council seems to want to stick to this. The Parliament text looked to raise the possible sanctions to up to five per cent of the global annual turnover, or 100 Million Euros. It is unclear if the Council will support such a high percentage however it is widely accepted that such tough sanctions will discourage companies wilfully or neglectfully breaching data protection laws.
Coming up for 2015 so far we know that in March 12-13 the Council has issued a provisional agenda for the Next Justice and Home Affairs Council meeting and the DP Regulation is on there for further discussion (as it a lot of other legislation due for discussion). The Council still has not committed to a concrete timeline for coming to an approved updated Regulation text but given the current timelines and activity over that time I wouldn’t expect an agreed text until either late this year or early 2016.
Once the Council has agreed the text we then go into a ‘tri-party’ negotiation between the Council, the Parliament and the Commission. So we have come a long way, but still not far enough to have a good or ‘reasonably solid’ idea of what a final draft of the Regulation will look like. One thing is certain however, is that far from this being a “non-starter” or an elephant in the room, Data Protection is very much on everyone’s mind and this will come into force one way or another.