Countdown to GDPR

June 9, 2015, Categories European Commission, European Parliament, Guru in a Bottle, Legal update No comments

The clock is ticking for reaching agreement on the EU General Data Protection Regulation, according to the European People’s Party (EPP) Group that brings together centre and centre-right pro-European political forces from the Member States and represents the largest group in the European Parliament.

Monday 15 and Tuesday 16 June 2015

The Council of Ministers will meet in Luxembourg to agree the adoption of a general approach to GDPR.

In effect, the Council will declare its own view on the preferred draft for GDPR and GDPR watchers the world over will be able to compare and contrast the various differences that will exist between this version and the one favoured by the European Parliament.

What started life as an ambitious proposal for reform by the European Commission that was amended by the European Parliament in 2014 will be ready to be debated alongside the Council of Ministers newly agreed draft in the roadmap for reform of data protection and privacy laws which could see an agreed GDPR by the end of 2015.

The European Parliament will try and stick to the proposed timetable and any deviation from this would be an indication of the level of commitment as well as the state of mind of the parties in genuinely wanting to reach agreement. According to the privacy trade body IAPP, both the European Commission and the Office of the European Data Protection Supervisor are likely to influence the outcome of this critical process.

Wednesday 24 June 2915

Big day as subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the 1^stTrilogue Meeting on the GDPR in Brussels.

The draft agenda for the meeting:

Commitment for the reform of Directive 95/46/EC in Council
Agreement on the overall roadmap for Trilogue negotiations from this point
General method and approach for delegated and implementing acts.

Progress made before the Summer Recess in July for the European Parliament, Council, and Commission will be a strong signal that the trilogue negotiations are on track to conclude by the end of this year.

Some commentators are optimistic that agreement can be reached, although a potential point of contention is the European Parliament’s introduction of a specific restriction on the disclosure of personal data following a request from a non-EU court or administrative authority. The political connotations with respect to national security are clear and will require skillful negotiation.

Tuesday 14 July 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the 2^nd Trilogue Meeting on the GDPR in Brussels.

The draft agenda for the meeting:

Territorial scope (Article 3, GDPR)
International transfers (Chapter V, GDPR).

There will then be the Summer Recess where what has been agreed and what’s left to be agreed will be the subject of intense media speculation. After the Summer Recess, the European institutions will be focused on tackling the core aspects of the entire GDPR framework with the aim of reaching agreement in the coming months.

September 2015

On returning from the Summer Recess, and subject to agreement between the Council of Ministers, the European Parliament and the European Commission, there will be further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

Data protection principles, including the grounds for processing and the conditions for consent (Chapter II, GDPR)
Data subject rights including the rights of individuals, the right to be forgotten and the provisions on profiling (Chapter III, GDPR)
the substantive obligations affecting data controllers and data processors (Chapter IV, GDPR).

This could be the point at which the trilogue negotiations become protracted and detailed as the European Parliament will need to accept the so-called ‘risk-based approach’ to the GDPR that’s supported by the Council. This appears to be a sensible way forward as it takes account of the need for businesses to grow and flourish under the new data protection and privacy regime. If Parliament is satisfied that such a doctrine is fair and reasonable in the context of all other protections given to individual citizens and their data protection rights, then this could be wrapped up within a matter of weeks.

The bigger prize for the European Parliament and one that could be a hurdle to overcome with the Council of Ministers is the so-called ‘One-Stop Shop’ principle.

October 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

Data Protection Authorities including the ‘One-Stop Shop’ Principle (Chapter VI, GDPR)
Cooperation and Consistency (Chapter VII, GDPR)
Remedies, liability and sanctions (Chapter VIII, GDPR).

The Council will need to be convinced that the ‘One-Stop Shop’ is workable and the Commission as well as the European Data Protection Supervisor will have a critically important role in helping to reach consensus on this principle.

“The One-Stop Shop maintains our main objective of having one interpretation of the GDPR in cross-border cases and I would say it even reinforces it. This sort of co-decision between the adjudication bodies won’t be based on the creation of a new body but on a better functioning of what already exists. It will strengthen the co-operation of DPAs within the framework of the Article 29 in a more structured and legally robust way,” observes Bruno Gencarelli, Head of Unit, Data Protection at the European Commission.

Remedies, liabilities and sanctions has tended to grab the headlines to date and it looks like the highest fines for data breaches and for failure to comply with the principles of the GDPR will be calculated on the basis of annual turnover of companies that transgress and is likely to be up to 5% of global turnover or €100m, whichever is the greater.

When agreement on the level of financial penalties is eventually agreed, then such a deterrent will start to concentrate the minds of those most likely to be impacted by GDPR – financial services, pharmaceuticals/medical, telecoms and on-line retail sectors.

The incoming Luxembourg Council Presidency is also aiming at a general approach on the Directive 95/96 EC in October or November 2015.

November 2015

By November, the negotiators will be on the home run and it’s hoped that the more controversial and substantive issues will have been agreed by the European Parliament, Council of Ministers and the European Commission by this stage.

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there will be the further Trilogue Meetings on the GDPR in Brussels.

The draft agenda for the meeting is likely to include:

Objectives and material scope, flexibility public sector (Chapter I, GDPR)
Specific regimes (Chapter IX, GDPR).

In many respects, this is a tidy up of GDPR on technical issues such as special regimes that will apply to the processing of personal data in the context of the employment relationship, scientific research and journalism. This again is likely to create a lot of media comment and will also need careful handling.

If all is well, we could have reached agreement on GDPR. The marathon negotiation cycle of the Trilogue process will have resulted in a new data protection and privacy regime that is the third piece in the jigsaw along with Fundamental Rights and the Single Digital Market.

But there’s still a chance it could stretch to December..

December 2015

Subject to agreement between the Council of Ministers, the European Parliament and the European Commission there could be the concluding Trilogue Meetings on the GDPR in Brussels.

This should be relatively uncontroversial although is likely to touch on politically sensitive areas such as the powers of the European Commission to adopt, delegate and implement acts under GDPR.

The draft agenda for the meeting could include (unless already covered in November):