On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.
The implementation of the one-stop-shop mechanism has led to a number of discussions regarding the European Data Protection Board’s powers versus those conferred to the data protection authority (“DPA”) where the entity maintains its headquarters. In a note addressing these concerns, the Presidency focuses on specific elements of the mechanism and suggests possible ways forward regarding the scope of application, the role and powers of the lead DPA, the cooperation between lead DPA and other concerned DPAs, the notification and enforcement of adopted measures, remedies for individuals, and the role of the European Data Protection Board.
For example, the Presidency suggests that the DPAs’ powers could be regrouped into three main categories (investigative powers, corrective powers and authorization powers) and offers two options with respect to the lead DPA’s role: either the lead DPA could make decisions for all three power categories, or the lead DPA’s decisions could be limited to corrective and authorization powers. Further, the Presidency suggests that any action to be taken within the territory of a Member State can only be carried out by the “local DPA” (including in the context of mutual assistance following a request from the “lead DPA” in certain cases, such as an audit). The Presidency also proposes to maintain the individual’s right under Directive 95/46/EC to complain to the DPA of his or her choice, and suggests clarifying that if the DPA rejects an unfounded complaint, the individual may bring proceedings in the courts of the same EU Member State.
Although the Presidency acknowledges that there is general support for a right to data portability, some delegations raised concerns regarding the risks for companies’ competitive positions, administrative burdens, and the scope of the “automated processing system” concept. Accordingly, the Presidency’s note suggests limiting portability rights to cases where personal data have been provided by the individual and the processing is based on consent or a contract and to Internet-related cases. The Council further recommends that controllers not be required to guarantee that they will directly transmit data to another entity that may be a competitor, and that controllers should have more flexibility with regard to the format they use to provide data portability (with a goal of reducing burden and costs for controllers). Finally, additional proposed provisions would ensure that data portability rights will not impinge on intellectual property rights, and the Council suggests clarifications regarding the controller’s right to retain data to the extent necessary to carry out contract obligations.
Data Protection Impact Assessment and Prior Checking
In a third note, the Presidency addresses issues relating to data protection impact assessments, which are intended to replace the current obligation to notify data protection authorities. Although there is a strong support for data protection impact assessments, discussions have revealed that Member States are concerned about burdens such as the cost associated with the mandatory assessment and other requirements. The Council now suggests only requiring the controller (not also the processor) to carry out the data protection impact assessment, and has prepared a list of processing activities that present specific risks (e.g., decisions based on profiling, making decisions using sensitive data, large-scale public monitoring and biometric and genetic systems). Further, the Presidency recommends clarifying the concept of processing concerning “a systematic and extensive evaluation of personal aspects relating to a natural person” and the reference to “filing systems.”
The same note contains proposals to respond to the uncertainties surrounding the “prior checking” requirement. Some Member States are concerned that data protection authorities will not have the capacity to handle these consultations, and question the practical effect of the consultation and the reasons for requesting that processors consult with the data protection authority. Accordingly, the Presidency offers several clarifications, including that only data controllers should be required to consult with the data protection authority, and that only residual risks cases should be subject to prior consultation.
Rules Applicable to Processors
In its note on rules for processors, the Presidency considers a number of improvements intended to clarify the framework governing the relationship between controllers and processors. The Presidency offers the following recommendations:
- controllers may only use processors that provide sufficient guarantees;
- the processor’s activities must be governed by a contract including a list of mandatory provisions; and
- the contract with the processor must detail the subject-matter and duration of the contract, the nature and purpose of the processing, the type of personal data and categories of data subjects.
The Presidency also specifies the comprehensive duties that the processor owes to the controller while processing personal data, and suggests including provisions to facilitate basing the contract on standard contractual clauses adopted by either the European Commission or a data protection authority.