Ruth Boardman, partner & co-head of Bird & Bird’s International Data Privacy Practice and Francis Aldhouse, consultant to Bird & Bird and former Deputy Information Commissioner
The Commission’s Proposal
The European Commission published its proposal for a General Data Protection Regulation on 25th January 2012. The Commission has the power of initiative; it cannot legislate. The co-legislators are the European Parliament and the European Council. Considerable attention has been paid to work of the European Parliament; less has been paid to the European Council. However, they will jointly determine the fate of the proposal. This article looks at the work of both to date and highlights where there are areas of common concern.
The Council of the European Union
What has the Council been doing?
Danish presidency, Jan – June 2012
The working party of officials (known as DAPIX) drawn from member states started its examination of the proposal. An Interim Report in July 2012 indicated that consideration had reached as far as Article 10!
The report contained extensive suggestions and comments. There included:
(1) concern as to the provisions granting delegated powers to the Commission and a demand for matters to be left to national decision in some cases;
(2) suggestions that the duties on data controllers were too strict or absolute – a risk based approach was recommended;
(3) the application of the rules to the private sector was felt to be insufficiently flexible;
(4) comments from France, as expected, as to the appropriateness of the ‘one-stop shop’ arrangement which might exclude the authority of the CNIL to protect French citizens. At the same time France also called for regulation to be based on the degree of risk to the individual.
(5) calls for encouragement to pseudonymise data with consequential relaxation of regulation; and
(6) for greater recognition of other fundamental rights against which data protection must be weighed.
Cyprus presidency, July – December 2012
When Cyprus took over the Presidency from Denmark it promised more frequent meetings of DAPIX. In a report prepared for the Justice and Home Affairs Council on 6th and 7th December 2012, it was reported that the working party had got as far as Chapter V of the draft Regulation. That was probably an optimistic way of saying that DAPIX had got no further than article 39 at the end of Chapter IV.
Cyprus decided to focus on three horizontal issues on which delegations had often expressed concerns. The issues were addressed as matters of principle applying throughout the draft Regulation rather than trying to deal with them article by article. These concerns specifically related to, again,
(1) the number of delegated and implementing acts,
(2) the administrative burdens and compliance costs imposed by the draft Regulation and
(3) the application of data protection rules to the public sector.
At the end of the year, the report submitted by the Presidency to COREPER and the Council reported a general desire by member states to reduce the delegated and implementing powers which the Commission proposed for itself. This position was not universal; some delegations had not responded to the secretariat questionnaire; Portugal and Poland were often supportive of the delegated powers; but France, Germany and the United Kingdom were almost entirely and systematically opposed to the powers. The report also proposed that DAPIX should work on ‘a strengthened risk-based approach’, and that greater flexibility should be proposed for member states when applying data protection to their public sectors.
Irish presidency, Jan – June 2013
On 22nd January, the Irish Minister for Justice and Equality and Minster for Defence, Alan Shatter, presented the new Irish Presidency’s priorities to the LIBE Committee: data protection, Schengen issues including the accession of Bulgaria and Romania to the border-free area, and the asylum. The minister said he would also press for progress on Passenger Name Records (PNR), confiscation of proceeds of crime, seasonal workers, intra-corporate transferees and right of access to a lawyer. It is not clear that quick progress can be made on so many different priority issues, even if data protection was first on the list.
A few days earlier on 17th and 18th January, Ireland, had convened an informal meeting in Dublin of Justice and Home Affairs Ministers to consider three more ‘key issues’ in the draft Regulation. They were:
(1) the ‘household exemption’:
(2) the ‘right to be forgotten’; and
(3) administrative sanctions.
The Justice and Home Affairs Council meeting on 7th & 8th March continued to express the Council’s concern about both the extent of the proposed delegated and implementing powers for the Commission and the need for greater flexibility in relation to public sector in each Member State. It also proposed, a risk-based approach to the responsibilities of data controllers and the Presidency has substantially re-drafted Chapter IV of the proposed Regulation including in particular a 'horizontal clause' in Article 22. The intention is that the burdens on controllers should be tailored to the risk to the data subject.
We shall have to wait for further reports of the Council’s discussions towards the end of the Irish Presidency in June 2013, but we can draw some conclusions from the general tenor of the work and its progress.
Notwithstanding the usual diplomatic remarks about the need for the Regulation and the importance of protecting citizens’ rights especially on the internet, there is clearly profound dissatisfaction with the Commission’s proposal among Member States.
The European Parliament
On 14th May 2012, Jan Philip Albrecht, the rapporteur for Parliament’s LIBE committee, published the timetable to which he wished to work. It was clearly driven by the desire to meet the 2014 deadline – when the current term of the Commission and Parliament expires. (The last plenary meeting of this Parliament is likely to be held in the middle of May 2014, before the elections for the new Parliament in early June.) Albrecht proposed that he would present his draft report in November 2012 and that the deadline for tabling amendments would fall in December. In fact the report was submitted in January and the date for amendments was the end of February. The very tight and optimistic timetable has already slipped by two months.
The original timetable proposed that discussions be held in February 2013 between LIBE, the lead committee, and the other committees which had offered opinions. Those discussions are now taking place in March. The earliest date for the orientation vote in LIBE will be April if the lost time can be made up. May or even the autumn looks more probable.
In addition to Albrecht’s report, a number of other committees have submitted opinions and comments broadly supportive of the proposal, but containing a range of suggested amendments. So for example the opinion of the ITRE Committee adopted on 20th February 2013 proposes several amendments sponsored by business organisations such as an amendment calculated to facilitate the processing of smart grid data by utility companies. This has been strongly criticised by privacy lobbyists.
It is not possible to summarise the amendments suggested by MEPs here, both due to space constraints (3000+ amendments have been suggested) and as some opinions are still to be finalized.
It is, however, useful to compare the positions being taken by Parliament with the concerns highlighted by the Council. As can be seen, changes to:
(1) the powers reserved to the Commission;
(2) the one-stop shop;
(3) the right to be forgotten;
(4) the household exemption; and
seem particularly likely, as broad concerns are shared by Council and Parliament.
Powers reserved to the Commission:
The Commission proposal reserved extensive powers for the Commission to adopt delegated and implementing acts. (Delegated acts are legislative acts which amend or supplement non-essential elements of the legislation. Implementing acts are intended to be of an executive character, which do not amend or supplement the original legislative instrument. The two types of act are subject to different forms of political control).
Substantial amendment seems likely after criticism from all sides and an early indication from the Commission that changes could be made.
|Heavily criticised. No published drafting has come from the Council, but the Cyprus Presidency reported that ‘the majority of delegated acts are rejected by Member States. There is more willingness among Member States to accept or discuss implementing acts …’
Albrecht’s report proposes shifting much of the Commission’s power to adopt supplemental measures to the European Data Protection Board.
|Cost of compliance:
|Criticism of excessive administrative burdens & costs on controllers. Move to risk-based approach recommended.
Albrecht’s report adds to compliance cost (for example, by requiring any legal person which processes personal data about 500 or more data subjects per year to appoint a Data Protection Officer).
Other reports try to address this – for example, the ITRE Opinion proposes that SMEs should not need DPOs.
|Application of rules to public sector:
|The Cyprus presidency reported that ‘many Member States already made it clear that they need more flexibility regarding data protection rules for the public sector to enable them to adapt
these rules to their constitutional, legal and institutional setup. … this issue is one of particular sensitivity and importance to delegations.’
The Parliament is likely to take a different view and some MEPs have objected to the fact that processing by the police & justice authorities is subject to a separate Directive, not the Regulation. According to Dutch MEP Sophie in ’t Veld:
"Decisions taken by police and justice authorities are often more invasive to people's lives than those of private companies. The data used to prevent and persecute crime are by default very sensitive."
|Considered to be insufficiently flexible: fines should be optional or conditional on warnings or reprimands being given. There should be flexibility to take into account mitigating factors – such as adherence to an approved code of conduct.
||Albrecht’s report introduces somewhat more flexibility for DPAs. However, the level of sanctions is toughened, as 2% of turnover becomes the cap for any breach, unless a lower level is specified.
Again, other reports take different views – for example, the IMCO report proposes inclusion of mitigating (and aggravating) factors.
|Right to be forgotten:
|Criticised as unrealistic.
The Irish Presidency suggested in its informal January 2013 paper that the exemption might not be ‘reasonable and feasible’ and the problem of data referring to several individuals was specifically mentioned. This exemption was not discussed by Ministers in March 2013.
|Also criticised as unrealistic in Albrecht’s report. Amendments are suggested so that this should not apply to data which is lawfully published. In other situations, however, the controller’s obligations are strengthened – as the original controller is made responsible for ensuring erasure by third parties. (The original proposal required that the original controller pass on the request).
The household exemption was stated to cover correspondence and address books. However, any connection with commercial or professional activity would be regulated.
Felt to be too narrow:
During the Cyprus Presidency some questioned the ‘no gainful interest’ test. UK mentioned the selling of private possessions on auction sites. Other states were concerned to exclude publication on social networking sites from the exception. The Irish Presidency suggested in its informal January 2013 paper that the exemption might be too narrow, but discussions were not continued in March 2013.
|Also considered to be problematic – for example, Albrecht’s report that private selling (eg via ebay) would not necessarily fall outside the exemption.
Commission proposal suggested that the DPA for the controller’s main establishment could act as a one-stop shop for certain purposes.
While there is general support for easing the supervisory burden on business, there is strong concern particularly from France that ‘the application of this criterion, … would put a greater distance between the citizen whose data is at issue and the competent data protection
authority….the national authority where the citizens concerned are resident should be
the only competent authority to receive, examine and adjudicate on complaints.’
|Heavily amended in Albrecht’s report. The ability of a DPA to regulate on its own territory is re-inforced. The one-stop shop is recast as single point of contact
Pseudonymisation: was not mentioned in the Commission proposal, which relies on the existing bright line distinction between personally identifiable and non-identifiable data.
|Lighter touch regulation for pseudonymised data is part of the Council’s favoured risk-based approach to recasting the Regulation.
||Albrecht’s report defines a ‘pseudonym’ and gives a very limited relaxation of the rules on consent for pseudonymous data.
Where do we go from here?
Both the Parliament and the Council must complete their first consideration of the proposed Regulation. The Parliament is likely to have adopted a preliminary position by the summer, but it is not clear what compromise will be struck between the LIBE Committee and others such as ITRE. The Council work is more radical in seeking to recast the Regulation in a risk-based manner. The potential disagreement between the Parliament and the Council might not be readily resolved.
There will clearly need to be Trilogue discussions between the Council, the Parliament and the Commission. It is still possible that the Regulation might be adopted by the middle of 2014. It will require substantial compromise largely on the part of the Commission and the Parliament: there might well be a blocking majority of at least 88 weighted votes in the Council under ‘qualified majority’ voting to ensure that no progress could be made on many elements of the proposal. Many Member States might, often for different reasons, prefer the arrangements under the current Directive 95/46/EC.
What is to be done?
There is still scope to achieve amendments to the proposal particularly through the discussions in DAPIX, the Council working party. Representations to national ministers and officials are the routes to achieving that end. As always, one should:
Propose well-argued changes with supporting facts and precise textual amendments;
Build European alliances;
Use the fundamental rights language – everyone has rights in the Treaties including businesses.
But business should avoid being seen as aggressively self-interested; it should recognise the policy demand for effective data protection and should avoid provoking the strong group of privacy advocates.
For more information, please contact: