On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.
Alan Shatter, Minister for Justice, Equality and Defense of Ireland, who chaired the meeting, noted the extensive work completed and progress made since the previous Council meeting on March 7-8, 2013. He emphasized the theme, later repeated by the EU Member States, “Nothing is agreed until everything is agreed,” to reiterate that the Presidency is seeking broad support for the approach. He also acknowledged that nothing can be settled conclusively at this stage.
Although most Member States broadly supported the general approach of the Presidency, there is still a need for further discussions and additional work on several key issues, including the risk-based approach and flexibility for the public sector. Additionally, some Member States (e.g., Germany, Denmark and the UK) found it premature to endorse the document since they do not support all of its conclusions.
Some of the main issues discussed during the deliberations included:
Some Member States still have reservations regarding the use of a regulation as the legal mechanism (according to the Presidency’s Note, Belgium, Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia and UK).
Although some Member States supported the Presidency’s suggestion that consent should be “unambiguous,” several ministers emphasized their support for the Commission’s “explicit” consent requirement (France, Poland, Italy, Romania and Greece).
Member States expressed their broad support for the risk-based approach, but noted that more work was needed, including on the definition of “risk” and the relevant factors to be taken into account when assessing risk.
EU Institutions, Agencies, Bodies and Offices
There is strong support for ensuring that the EU institutions, agencies, bodies and offices are subject to equivalent data protection rules, and that those rules come into effect as soon as possible. The Council’s Legal Service noted that – for reasons of sound drafting and legislation – provisions applicable to EU institutions should be put in a separate instrument, not in the Proposed Regulation.
Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding also addressed the Council and highlighted that the current level of protection as laid down in the EU Data Protection Directive 95/46/EC should not be undermined. The Presidency concurred.
Shatter noted that the Proposed Regulation will remain a priority for the final three weeks of the Irish Presidency, with several working group meetings already scheduled for June.