What should you expect of the global EU data protection show?
While the Finnish privacy lawyers of Bird & Bird were raising a toast for the results of the passed fiscal period last Friday, the Council of Europe rallied once again in Luxembourg to discuss its approach to the EU data protection reform and some of the most eye-catching contents of the proposed General Data Protection Regulation (GDPR). For the interest of the public, progress was made in some key questions.
However, even though Commissioner Reding announced that the long stalled negotiations are moving to a dynamic direction in the Council as well, fundamental questions still remain unanswered.
Where it is difficult to foresee the results of the Council's debate at this stage or the final outcome of the negotiations between the Council and the European Parliament one could note that GDPR's future has slowly begun to unravel. The regulation has also come to include, in addition to several obligations for controllers, mechanisms that can also be understood as competitive advantage for undertakings. This was reflected in the latest comments on the provisions regarding international transfers of data.
EU data protection and the flow of information go global
First things first. According to the discussions between the ministers last Friday, the Council agreed on an approach to provisions on international transfers of data and the territorial scope of GDPR quite similar to what the Parliament and Commission have proposed. Among others, all of these organs seem to share the view that GDPR should be applied to companies not established in the EU but doing business in the EU.
Such a view is not surprising in the light of the recent decision of the Court of Justice of the European Union where the national establishment of Google could be considered liable for the processing of personal data in Google's search engine.
Further, there appears to exist general understanding of the lawful grounds which may be relied on when transferring data outside of the EU to third countries. Either the country where data is transferred to must ensure adequate level of protection of personal data or appropriate safeguards for the transfer must exist or clearly defined specific situations must necessitate the transfer. The details of these requirements have begun to form and e.g. the role of binding corporate rules in making data transfers lawful within a group of undertakings or group of enterprises engaged in a joint economic activity would be cemented.
Interestingly, when taking a look at the details of the provisions on international transfers of data, the Council and the Parliament also seem to have made similar fine tuning to the Commission's original proposal and suggest e.g. that appropriate safeguards for the transfer of data outside of the EU could also be ensured by introducing certification mechanisms.
What does this mean? The proposed framework would provide industry with several options to transfer data outside of the EU which would improve the free flow of information. In Finland this would also, for instance, make the use of binding corporate rules more simple since harmonized regulation would make their implementation easier and address problems caused by differences in national legislation such as the requirements of employment law.
Naturally, there are differing viewpoints to be negotiated and the Council is yet to establish its final opinion of the package. For example, even though agreeing with the Parliament on certain issues regarding data transfers the Council's draft text does not include a similar NSA-influenced provision regulating strictly on transfers and disclosures of data requested by authorities of a third country as the Parliament had proposed. However, unlike the Parliament's proposal, Council's notes mention a controller's legitimate interest as a lawful derogation allowing transfer of data to a third country.
The Council also had difficulties to reach an agreement on the so called one-stop shop mechanism providing how data protection issues concerning a controller established in one country but involving several member states could be handled by one competent supervisory authority. The news was that guidelines were defined for future work. So far it appears that difficulties have been caused by the fact that the proposed framework would influence in a novel way national authorities' jurisdictions and possibilities to decide on the rights and obligations of companies and individuals in other member states as well. This could influence citizens' access to justice or lead to forum shopping.
Something old and something new
Something has been reached but there is still a lot of work to be done. While the final contents of the possible GDPR are yet to be negotiated, several businesses relying increasingly on the use of personal data need to plan how to deal with data protection and one day also with the future regulation. Even in the absence of the GDPR planning data processing in relation to the challenges of the present and building the trust of customers is important.
When looking at the reform as a whole one can note that several fundamental principles of the GDPR correspond to what has already been regulated 20 years ago. For instance, GDPR's requirements of 'privacy by design' and 'privacy by default' resemble the idea of the Finnish Personal Data Act's obligations to plan all personal data processing operations prior to taking any processing activity.
Needless to say, compliance will be important. Face lifting of data protection is expected and, as many have noted, several concrete obligations for those responsible of personal data in some way will be introduced.
Above all, controllers would be held accountable for complying with the regulation and the sanctions included in the regulation would require controllers to take measures by providing an additional 'incentive' compared to the current costs of non-compliance. However, the basis of the regulation makes it predictable. This should also be kept in mind when the industry plans how to deal with the impact of the proposed obligations.
For further information, please contact our data protection team in Finland:
Partner Jesper Nevalainen
Senior Counsel Kaisa Keski-Vähälä
Associate Iiro Loimaala