Who: Council of the European Union
Where: Brussels
When: 31 May 2013
Law stated as at: 6 June 2013
What happened:
A partial draft suggested compromise text was released by the Council on 31st May. The proposed amendments are limited to Chapters I to IV of the Regulation only.
Commission officials have stressed that nothing is set in stone and in particular, once any proposed “compromise” changes have been made to the remaining Chapters, these in turn may require more consequential tweaks to Chapters I-IV.
What is clear already, however, is a significant change in approach. Some are describing this as less prescriptive and more risk-based.
Others comment that the changes show strong signs of intensive lobbying by interest groups such as the marketing community having borne fruit.
Some of the key points for marketers to note from the new changes include the following:-
• Consent – a requirement in the earlier draft for consent to be “explicit” has gone but this must still be “unambiguous” to qualify as one of the grounds for lawful processing under Article 6.1. Explicit consent will still be needed, however, for processing of sensitive data;
• Legitimate interests – for the first time, although so far only by way of an amendment to recital 39, it is expressly accepted that “direct marketing can be regarded as carried out for a legitimate interest” of a data controller, so all other things being equal, this can provide an alternative ground to “unambiguous consent” for legal processing;
• Jurisdiction – amendments to recital 20 indicate a rowing back from the previous draft’s radical proposal that data controllers established outside the EU will be bound to comply with EU data protection law even if they do not use equipment located in the EU to process personal data. This would apply if the data controller, located in for instance the US, was offering goods or services to EU residents or monitoring them.
Now it is indicated that in order to determine whether goods or services are being offered to EU residents, the mere ability of an EU resident to access a website hosted on a server in, for example, the US will not be enough. Rather the non EU website will only be caught by the Regulation if it can be established that the controller “envisages doing business” with EU individuals. Relevant factors will include whether the site is in local EU state languages, whether it quotes prices in EU state currencies or mentions customers or users residing in the EU.
• Profiling – the changes have dropped provisions in Article 6 which effectively removed the “legitimate interests” processing ground where personal data was being profiled or where large amounts of personal data about the data subject were being processed or combined with other data;
• Purpose limitation – of interest particularly to “big data” processors, new and seemingly pragmatic and risk-based help is provided on whether further processing for different purposes will still be regarded as “compatible” with the original purpose and therefore acceptable.
Factors listed at Article 6.3a are “any link” between the original and later purposes, the context in which the data was collected, the nature of the data, the possible consequences of the further processing and the existence of appropriate safeguards;
• Data breach reporting – the time to report breaches has been extended from 24 to 72 hours and reporting is only now compulsory for significant breaches which may result in “severe material or moral harm,” with data subjects only to be notified of serious breaches;
• Data protection officers – in a dramatic change, the appointment of a data protection officer is no longer compulsory for companies of any size subject to any local member state requirements. The proposal states “The controller or processor may, or where required by Union or Member State law shall, designate a data protection officer.” If adopted, then the position would remain unchanged from the present with variations across Europe.
• Form of legislation – Eight member states including the UK favour a replacement Directive rather than a Regulation and proposed wording allows for flexibility so the Regulation could be transformed into a directive in future.
Why this matters:
These new Council proposals appear to offer some reasonable compromises and practical solutions if accepted, but they must come with the caveat that, as one EU mandarin said “nothing is agreed until everything is agreed.”
In the meantime the timetable keeps on slipping. The date for the binding vote by LIBE was originally planned for the end of May and has been postponed a second time to July 2013 before the summer break and it is believed the delays have been caused by the number of proposed amendments reported to be over 3000.
Once LIBE adopts its position it must then negotiate with the Council of Ministers and then finally the new Regulation must be approved by the European Parliament. Whether this can be achieved before the current European Parliament steps down for elections in spring 2014 is still unclear but this is certainly strong motivation to get the Regulation through within the original timeline, with implementation in 2016.