On May 31, 2013, the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.
Current Legislative Status
The Council of the European Union is composed of the ministers of the EU Member States and, together with the European Parliament, serves in a legislative capacity acting on proposals from the European Commission. The Presidency of the Council rotates among Member States every six months with each Presidency developing initiatives and setting the Council’s agenda during its six-month term. Currently, the Presidency is held by Ireland, with Lithuania taking over on July 1 for the second half of 2013. The Irish Presidency has made the Proposed Regulation a particular focus of its term.
The European Commission published the Proposed Regulation in January 2012. Over the last 18 months, the Proposed Regulation has been the subject of intense negotiations, re-drafts and media speculation in Brussels and across the EU. In January 2013, the appointed lead rapporteur of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, issued the Committee’s draft report on the Proposed Regulation, proposing a number of significant amendments. Four other European Parliament committees also released opinions proposing amendments. In total, over 3,000 amendments to the Proposed Regulation have been put forth, resulting in the LIBE Committee further postponing its orientation vote, which had originally been scheduled for March 2013, but was delayed until May 29, 2013.
The LIBE Committee currently is considering the amendments to the Proposed Regulation and preparing a compromise text for a European Parliament vote. The next step will then be for the European Parliament and the Council of the European Union to negotiate the finalized text. Given the forthcoming summer recess, these negotiations are not expected to take place before September 2013.
Draft Compromise Text
In anticipation of the negotiations between the European Parliament and the Council of the European Union, the Irish Presidency has prepared compromise text for the Council to consider. The Presidency’s amendments are limited to only Chapters I to IV of the Proposed Regulation, and, accordingly, do not offer amendments on issues addressed in later chapters, including international data transfers, powers of the supervisory authorities or sanctions.
The draft compromise text tempers many of the European Commission’s original proposals that had been the subject of some of the most vociferous debate. In particular, it narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework. The Presidency also emphasizes that no single part of the Proposed Regulation can be finalized until the text of the whole Proposed Regulation is determined.
Choice of Instrument
The Presidency notes that eight Member States (Belgium, the Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia and the UK) still do not support the Commission’s choice to use a regulation as the legislative instrument in this process, and would prefer that the current EU Data Protection Directive 95/46/EC (“Data Protection Directive”) be repealed and replaced by another directive. The Presidency’s amendments leave flexibility for the Proposed Regulation to be transformed into a directive in future. The Presidency has therefore not ruled out the possibility of using a different instrument.
Although the possibility of recasting the Proposed Regulation as a directive remains, the Presidency’s amendments emphasize that differing levels of data protection within the European Union must not impede the free flow of personal data within the Union (Recital 11).
Scope of the Proposed Regulation
The Presidency proposes parallel amendment of Regulation 45/2001 (on the protection of individuals with regard to the processing of personal data by the Community) to bring the processing activities of European Union bodies within scope of the Proposed Regulation (Recital 14a, Article 2(b)). Latitude is, however, granted to public bodies in a number of amendments, including clarification of public access to official documents for public interest purposes, and recognition of the ability of public bodies to respond to information requests under freedom of information statutes.
The amendments further clarify the extraterritorial application of the Proposed Regulation to data controllers located outside of the EU. Recital 20 explains that mere accessibility of a controller’s website from within the EU would not constitute “the offering of goods or services” under Article 3(2), and that whether the controller appears to “envisage” doing businesses with EU data subjects is a determining factor. Whether a controller “envisages” doing business with EU data subjects can be ascertained from the functionality of a controller’s website, including local language and currency. The amendments also delete Recital 64 of the Commission’s proposals, which would have applied to data controllers that “occasionally” offer goods or services to EU data subjects.
The Presidency’s amendments further clarify the extraterritorial application of the Proposed Regulation to data controllers located outside of the EU that monitor the behavior of EU data subjects (Article 3(2)(b)): the monitored behavior must take place within the EU. Accordingly, the Proposed Regulation would not apply to monitoring the behavior of data subjects habitually resident in the EU, but temporarily based outside of the EU.
Regulation 23 of the Presidency’s re-draft emphasizes that the principles of data protection do not apply to the processing of anonymous data or personal data relating to the deceased. Whether information is considered “anonymous” depends in part on the costs and the amount of time required to identify the data subjects to whom the data relate. This clarification will no doubt be welcomed by data controllers, given the practical and technical difficulties of achieving complete and permanent anonymization.
The amendments clarify that, under the household exemption, the Proposed Regulation does not apply to social networking and online activities by individuals, provided that they are undertaken as a household activity (e.g., not sponsored bloggers).
Overall, the Presidency’s draft compromise text can be seen as a more business-focused, pragmatic approach. For example, the Presidency has drafted an additional recital (Recital 3a), clarifying the right to data protection as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct a business.
The principles of proportionality and context are consistent themes throughout the Presidency’s amendments. In particular, the compatibility of further processing purposes is dependent on a number of factors, including the context of collection, and: (1) any link between the original purposes and intended further purposes; (2) the reasonable expectations of further use anticipated by the data subject; (3) the nature of the personal data; (4) the consequences for data subjects of the further intended processing; and, (5) appropriate safeguards.
Proportionality and a risk-based approach also are reflected in the Presidency’s revision of the documentation requirements. Whereas Recital 60 would have required that data controllers be “obliged to demonstrate the compliance of each processing operation with this Regulation,” the Presidency suggests that controllers demonstrate their compliance in more general terms, keeping records and conducting data protection impact assessments (“DPIAs”) depending on the nature, scope, context and purposes of specific processing activities and the associated risks to the rights and freedoms of data subjects. These risks are to be viewed against a backdrop of physical, material or moral harm to data subjects, including discrimination, identify theft, financial loss or reputational damage.
The criterion for valid consent is amended from “explicit” to “unambiguous,” except in the case of processing special categories of data (i.e., sensitive personal data) (Recital 25 and Article 9(2)). This reverts to the current position under the Data Protection Directive and is a concession to the practical difficulty of obtaining explicit consent in all cases.
The criteria for valid consent are further relaxed by the ability to obtain consent in writing, orally or in an electronic manner, and where technically feasible and effective, valid consent can be given using browser settings and other technical solutions. Further, the requirement that the controller bear the burden of proof that valid consent was obtained is limited to a requirement that the controller be able to “demonstrate” that consent was obtained (Recital 32 and Article 7(1)). The need for “informed” consent is also relaxed from the requirement to provide the full information requirements laid out in Article 14 to the minimal requirements that the data subject “at least” be made aware of: (1) the identity of the data controller, and (2) the purpose(s) of the processing of their personal data (Recitals 33 and 48).
The Proposed Regulation requires separate and distinguishable written consents for processing for different purposes (Article 7(2)). This obligation is softened by requiring that the requests for consent for separate matters be presented in a distinguishable manner, rather than requiring that the consents themselves be distinguishable. Data controllers would therefore not be prevented from obtaining written consent to multiple processing activities, provided clear and distinguishable notice of each different processing activity was provided.
Under the Proposed Regulation, valid consent cannot be given where a significant imbalance exists between the data subject and the data controller (e.g., in the employment context). This is tempered in the Presidency’s draft by the shift from a default assumption that valid consent cannot be obtained to an assessment in each specific situation (Recital 34).
The definition of “child” as someone under 18 years of age is deleted (Recital 29 and Article 4(18)).
The legitimate interests basis for lawful processing (Article 7(f) of Directive 95/46/EC) is explicitly extended to include: (1) fraud prevention; (2) anonymizing or pseudonymizing personal data; and (3) direct marketing purposes. The first extension likely will be particularly appreciated by data controllers operating in the financial and retail sectors. The second extension reflects calls widely made, including by Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding, to incentivize the processing of anonymous and pseudonymous data in place of personal data. The third extension seems likely to cause the most surprise, and may not be unanimously welcomed, although it could be said to reflect current practice in more permissive jurisdictions such as the UK.
The establishment, exercise or defense of legal claims is introduced as another possible specific ground for the lawful processing of sensitive personal data. This additional lawful processing ground could offer relief to data controllers processing personal data in the context of legal discovery requests.
Data Breach Reporting
As expected, the timeframe for reporting personal data breaches is extended from 24 to 72 hours (Recital 67 and Article 31). Further, only significant breaches which may result in “severe material or moral harm” must be notified to the competent supervisory authority (Recital 67 and Article 31). This amendment diverges significantly from the Proposed Regulation, which required notification of all data breaches and did not specify any harm threshold. Similarly, the Presidency advocates notification to affected data subjects only for severe breaches, and would not require notification to both the supervisory authority and to data subjects where technological measures applied to the personal data mean they are unintelligible to third parties, or if the breach affects pseudonymized data that would be unintelligible to third parties (Recital 68a and Articles 31(1a) and 32(3)(a)). In addition, notification to data subjects would not be required if the controller takes subsequent steps to protect affected data subjects (Article 32(3)(b)), and, where it would involve disproportionate effort to notify data subjects individually, the controller may instead make a public communication (Article 32(2)(c)).
Codes of Conduct
Codes of conduct and certification play a more prominent role in the Presidency’s proposed draft, in particular with respect to (1) demonstrating privacy by design and default, as a quality certification for processors sufficiently guaranteeing processing in accordance with the requirements of the Proposed Regulation, and (2) data security measures.
Reduced Role of the European Commission
A particular criticism of the Proposed Regulation has been the number of instances in which the Commission reserves the power to legislate further, in the form of delegated and implemented acts. Such potential for further amendments would leave controllers and processors uncertain of their obligations and seriously impede long-term business planning since the rules could be changed at any time. The Presidency’s proposed text deletes all implemented acts and all but one power to adopt delegated acts (Article 39a) in Chapters I to IV.