Who: EU Council of Ministers
When: 30 June 2014
Law stated as at: 30 June 2014
By fair means or foul, a new version of the draft data protection regulation was published, or maybe leaked, on 30th June 2014 (“New Draft”).
This was the last day of the Greek presidency of the Council before Italy took over and the New Draft, which by all accounts may not have been intended for public consumption, reveals much of the direction of travel in a journey that started over 30 months ago.
A foretaste was in EU Ministers’ 30 June 2014 communiqué which read:
“…it will be crucial to ensure the protection to ensure the protection and promotion of fundamental rights, including data protection, whilst addressing security concerns, also in relations with third countries, and to adopt a strong EU General Data Protection framework by 2015.”
In October 2013 they said:
“It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection Regulation framework. is essential for the completion of the Digital Single Market by 2015.”
Spot the minimal differences and the consistently delphic tones on timescales.
Still nearly 600 comments and concerns
Turning to the new draft regulation dated 30 June 2014, the first thing that catches the eye is the nearly 600 comments below the text revisions. The UK features heavily here in expressing reservations or suggesting deletions, but it is not alone, although on first impression it seems well ahead of the pack in terms of requests for deletions.
For example the UK suggests that the entire article on data portability should be deleted. It believes in the principle of data subjects being able to call on data controllers to transfer their data to other data controllers (for instance when changing utility or banking services providers) but it believes this is more within the scope of consumer or competition law than data protection law.
The UK also expresses concerns about Article 28, which obliges data controllers to keep records of all categories of personal data processing activities it undertakes in at least six prescribed categories.
This is intended to take the place of the existing obligation on data controllers to register their personal data processing activity with national data protection authorities (“DPAs”).
The UK comments, however, that the administrative burden created by Article 28 nullifies the benefits of abolishing registration with DPAs. However just four other countries share these concerns.
Profiling change is cause for guarded marketer relief
One change provides rare comfort for marketers, though this must be guarded because of the “nothing is agreed until everything is agreed” mantra.. The definition at Article 20 of “profiling”(for which marketers will likely need “explicit consent”) has been tweaked slightly so that whereas before the processing had to “severely” affect the data subject to qualify as profiling, it now only has to have to a “significant” effect.
What little difference a year makes
Another notable feature in the new draft is the sheer paucity of changes made to the draft since June 2013, a whole year previously.
This means no real progress on agreeing provisions concerning for example profiling, pseudonymous data, privacy impact assessments or the so-called one stop shop mechanism, where a business with locations across the EU would only be obliged to deal with the DPA where it had its “main establishment.”
Why this matters:
If and when EU Ministers agree this draft, it will be time for trilogue negotiations involving the Ministers, Euro MPs and the Commission. If these finally bring home a draft on which there is consensus, adoption will be followed by a two year implementation period before the reforms are fully in force.
Distractions from the heavy lifting
But there is clearly a good deal of heavy lifting to be done before then, with current data protection topics under discussion at the start of the Italian presidency being:
• member state flexibility for the public sector-Germany for example has much stricter data protection rules for its public sector. Currently this is possible because of the flexibility allowed by the Directive-based approach, but how to achieve this under an inflexible Regulation? For this and other reasons UK ministers continue to push for a Directive but query how much support it has on this from other states;
• review of safe harbour-a distraction from the main grunt work on the Regulation which will lead to yet more delays, but crucial nonetheless due to reservations expressed by some EU member states and the Article 29 Working Party, although all the signs are that improvements will be agreed by the US to allay European concerns;
• the ECJ right to be forgotten ruling in Google/Spain-another distraction in some ways but potentially crucial in terms of how its huge practical implications must inform and hopefully significantly water down the current provisions in the draft “Right to be forgotten and to erasure” Article 18.
All these factors plus the general sclerosis caused by the European parliamentary elections and Commissioner changes, point clearly to early 2015 at the earliest for agreement and maybe even later.
Early 2017 “in force” prospect is no reason for inaction now
So this means delay until the first part of 2017 before any reforms will be in force.
But one thing is clear: whatever the end product of what looks likely to be one of the longest gestation processes undergone by any EU measure, the new regime will be significantly stricter than it is now.
Which means that those who take the time now to make sure their houses are in order under the existing Directive will find life a good deal less challenging when the new laws arrive.