On Monday 15th June 2015, Ministers representing the Member States at the EU Justice and Home Affairs Council at long last agreed a General Approach to the proposed General Data Protection Regulation. This decision has been built up slowly and with difficulty since the European Commission published its proposal in January 2012.
The adoption of the General Approach carried with it authority for the Presidency to conduct negotiations with the Commission and the Parliament (‘trilogue’ discussions) with a view to achieving a compromise text to be adopted as the final Regulation. The trilogue discussions are expected to start on 24th June before the end of the Latvian Presidency with the objective of adopting a text by the end of the year and a programme of monthly meetings concluding in December has already been published. However, in the light of the previous slow progress since 2012 and bearing in mind that trilogue discussions often take many months, this target date might prove optimistic.
Important changes to the Commission’s text proposed by the Council of Ministers include the following:
A new recital emphasising that data protection is not an absolute right and must be weighed against other fundamental rights.
- Extension of the definition of police functions excluded from the Regulation.
- Power to Member States to modify the application of the Regulation to the public sector.
- Possibility of broad consent by individuals to the use of their data for scientific research.
- If established in more than one Member State, a controller’s or processor’s place of establishment to be, prima facie, its administrative centre.
- Pseudonymisation defined and encouraged.
- Processing for public archives, scientific, statistical, or historical purposes deemed to be compatible with the original purpose and retention of the data for those purposes permitted.
- Processing of employee and customer data and data for direct marketing and fraud prevention are all legitimate interests as are reporting criminal acts and threats to public security.
- Processing of sensitive data is permitted to defend legal claims, for public archives and for public health purposes, including research in the public interest in the area of public health (broadly interpreted and subject to safeguards in EU or national law).
- Subject Access can be refused if a request is manifestly unfounded.
- Data portability is restricted to data provided by the individual and does not apply if it would infringe intellectual property rights in relation to the processing of the data.
- Automated decision-making including profiling is permitted for ‘fraud and tax evasion monitoring and prevention purposes and to ensure the security and reliability of a service provided by the controller.
- Compliance measures to be taken by controllers are to be proportionate and to take account of the degree of risk to individuals; compliance with approved Codes of practice can demonstrate compliance and the EDPB is to identify low risk processing.
- Processors must have the prior consent of the controller to employ sub-processors.
- Only high-risk data security breaches to be reported to DPA and where feasible within 72 rather than 24 hours; severely affected individuals are to be informed, unless the data are encrypted.
- PIAs required in high risk cases; DPAs can specify high and low risk cases.
- Appointment of Data protection Officers is discretionary unless made mandatory by EU or Member State law.
- Diluted ‘one-stop shop’ setting out extensive rules by which one DPA regulates a group, but all interested DPAs can be involved in investigations and individuals can complain to their local DPA.
- Sanctions are to be proportionate ranging from a warning or reprimand up to 1 million EUR or 2% of global turnover; fines are to be discretionary.
- Strengthened rules on the protection of freedom of expression including academic freedom.
- Member States authorised to provide extended and specific derogations and protections when personal data processed for historical, statistical, scientific, or archiving purposes.
- Commission’s delegated and implementing powers are reduced.
- Data export without further authorisation can also be on the basis of compliance with an approved code or certification and existing adequacy decisions remain in force until revoked or replaced under the new procedures.