On June 15th 2015 at their Council meeting, the Justice and Home Affairs Ministers of the EU reached an agreement on their version of the proposed General Data Protection Regulation (GDPR).
Now it is up to the trilogues – the European Commission, the European Parliament and the Council of Ministers – to decide how to finalise the text of the Regulation, which is expected to be delivered by the end of 2015. Within a transition period of two years after its enactment, the Regulation will be applied in every single EU member state.
The current legal data protection situation in the EU is marked by a patchwork of privacy regulations, since 28 member states have enacted their own regulation based on the Data Protection Directive dating back to 1995, and this has led to a variety of different data protection levels.
Highlighting one aspect of the GDPR helps to get a clearer picture of the intended enforcement of citizens’ rights: companies, for instance, can currently escape from stronger protection rules by simply establishing their centre of operation in another country – even in a country outside the EU – that has weaker data protection standards. This procedure will be stopped with the repeal of the 1995 Directive and the enactment of the Regulation, as the proposal foresees an extraterritorial effect of the EU data protection law. This means that whenever the European market is targeted by a company based in the EU or elsewhere, the strong EU protection rules will apply.
Other noteworthy aspects approved in the Council’s draft include the following issues:
- Right to erasure, data access and correction
- Right to information and transparency
- Trans-border data flow to third countries
- Future-flexible definitions (e.g. personal data, pseudonymisation, profiling)
- Privacy by design
- Sanctions
- Appointment of a data protection officer
- One-stop-shop mechanism – one data protection authority for the whole EU.
The new unified Data Protection Regulation, which will be directly applicable in EU member states, will enable data protection controllers and users to better understand their obligations and rights. A large number of businesses will be faced with changes to their long-standing practice in data protection matters. A common data protection level should be applauded, as it will lead to more clarification and legal adjustments to match the constantly changing developments in technology, which the 1995 Data Protection Directive cannot provide.
‘There are clearly differences (between EP and the Council), notably on consumer rights and the duties of businesses’, said Jan Albrecht, Parliament’s lead MEP on the Data Protection Regulation, indicating that there are issues still to be solved. Remarks about the necessity of re-evaluating certain regulatory aspects, or being more specific and clearer on the formulation of obligations, have also been interpreted as critique. The GDPR has also been partly seenas an instrument which would ‘kill off Europe’s cloud computing industry’, and Joe McNamee, Executive Director of European Digital Rights, criticised the Regulation by commenting that ‘The Council position is a mixture of reckless disregard for citizens’ fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive.’ It therefore remains to be seen if the trilogue leads to additional major changes on the current draft.
The INCYDER team will cover the implications of the Regulation in detail, once it is adopted.
Lorena Trinberg
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.