What’s the view of the final text of GDPR according to EC?

JunckerIn the last couple of weeks the blogosphere has gone into overdrive regarding the final text of the EU General Data Protection Regulation (GDPR) that’s on track to emerge before the end of the year. Agreement between the European Parliament, Council of Ministers and European Commission now looks like a distinct possibility in November 2015 after which there’ll be a two-year transition period before sanctions begin to bite.

As GDPR watchers will have already clocked, there’s been a leak on the first reading of EU Regulation by the Council of Ministers. The document runs into 630 pages and can be accessed here.

Fortunately, the fog that’s surrounded the details of the final text of GDPR is now starting to lift.

The European Commission – the ‘honest broker’ in the deal between the European Parliament and the Council of Ministers – has started to provide some clarity on what the final shape of GDPR will look like.

It should be remembered the proposal has been subject of intense debate since 2012 when the European Commission proposed a branch and root reform of Europe’s outdated data protection and privacy laws.

What was fuelling this need for reform was the need to create a functioning single market that would deliver jobs and prosperity across the EU.

At a recent IAPP London KnowledgeNet seminar hosted at the London offices of global law firm Allen & Overy, Bruno Gencarelli, Head of Unit, Data Protection at the Directorate-General for Justice at the European Commission shared his thoughts with an audience of over 100 data protection and privacy experts, who appeared to be hanging on his every word!

Such is the interest in the final outcome of the trilogue negotiations. And British PM David Cameron’s promise to hold a referendum on the UK’s membership of the EU has quadrupled this level of interest.

The context surrounding GDPR is perhaps just as important as the content of the proposed EU Regulation.

EU Charter of Fundamental Rights

The Charter is an important development as it’s the first formal EU document to combine and declare all the values and fundamental rights (economic and social as well as civil and political) to which EU citizens should be entitled.

The main aim of the Charter is to make these rights more visible. It is important to note that the Charter doesn’t establish new rights but assembles existing rights that were previously scattered over a range of international sources.

Now that the national courts and Court of Justice of the European Union (CJEU) have to consider the Charter it can be used to assist in cases where EU law is in issue and clearly GDPR needs to be seen within this context.

EU Digital Single Market

Last week, the EU outlined its strategy to create a digital single market. The thrust of the proposals included establishing standard rules for buying goods online, pruning cross-border regulations on telecoms and reducing the tax burden on business. The plan also calls for a “comprehensive assessment” of whether Facebook, Google and other internet platforms distort competition (aside from posing significant data protection and privacy risks).

EU Commission President Claude Juncker has promised to transform the EU single market for the digital age by removing regulatory walls, moving away from 28 national markets to a single one and generating €415 bn ($468 bn) a year for the European economy as well as creating 3.8m new jobs.

The call for reform isn’t simply politically motivated – many businesses from within and outside of the EU have been pressing for reform in order to compete across a level playing field rather than risk facing fines and penalties across 28 Member States that pursue their own competition, data protection, privacy laws and regulations.

It’s against this backdrop that GDPR is the final piece of the jigsaw that will create a very different picture of the European Union than exists at present.

What’s driving the European Commission to reform data protection and privacy laws across the EU?

There are three key drivers:

  1. Simplifying the regulatory landscape and framework
  2. Updating rights and obligations to the opportunities and challenges of the digital world.
  3. Strengthening enforcement.

According to Bruno Gencarelli, it’s a balance of interests – removing red tape as well as providing protection for the ordinary EU citizen.

“We’ve tried to tailor and granulate certain obligations – the so-called ‘risk-based approach’ that entails carrying out a Data Protection Impact Assessment (DPIA) as well as looking at processing activity that represents a specific risk to the rights and freedom of a data subject. In doing so, we are also looking at the size of business,” he says.

On the point of red tape, Bruno Gencarelli is clear that the GDPR will eliminate most prior notification and prior authorising processing obligations as a result of the appointment of a Data Protection Officer (DPO) that will sit within the company or organisation and who will report data breaches directly to the Supervisory Authority.

So in a way, this is a self-policing system that will radically reduce the amount of bureaucracy that exists at present, although of course it comes with its own challenges, particularly as Boards will need to be coached in how to work with a ‘mini-regulator’ that’s embedded within its own business.

Putting individuals back in control of their own data

This is perhaps at the root of the proposed data protection and privacy reforms and has the biggest impact of the changes being proposed by the European Commission.

“I would say more than in any other part of the EU Regulation effecting data protection, the proposed reforms mean putting individuals back in control of their personal information in order to re-establish fundamental rights as well as to strengthen trust within the digital single market,” adds Bruno Gencarelli.

Portability of data

One of the proposed eye-catching reforms to be included in the GDPR will be portability of personal data across the EU.

“This is essentially about allowing users to extract in a structured format personal data from service providers and to move that personal data to another provider. This idea stems from what happens in the mobile telecoms sector and it’s about giving more say to individuals to decide what happens to their data in practice; being able to effectively make a choice in the market and in that way lower the barriers to entry in particular to those markets which are currently dominated by very few big players.”

According to the European Commission, this is an example of a question of balance taken within the GDPR – of balancing fundamental rights as well as complementing the principle of competition within the internal market.

“We don’t see one excluding the other,” explains Bruno Gencarelli.

Breach notification

In this area, the European Commission has studied in detail what some States in the USA have adopted in terms of data breach notifications and are convinced of the case for a federal approach across the EU.

“In practice, the same idea is true for the protection of privacy by design. This is about investing in good data protection practice and methods as early and as upstream as possible in the provision of goods and services,” adds Bruno Gencarelli.

More effective supervision and enforcement

The new emphasis on supervision and enforcement placed by the European Commission reflects the transition from an ex-ante to an ex-post data protection and privacy system.

“Data protection and data breaches have become much more serious and relevant and currently we don’t have a credible set of enforcement rules and sufficiently dissuasive sanctions. In Europe, we have a very fragmented situation where certain countries have that power to impose financial sanctions and some countries don’t appear to have that power.

“We drew inspiration from other areas of Europe such as competition law in looking at the issue of supervision and enforcement. There have been a lot of misgivings about the level of fines and it should be emphasised that these are a ceiling – it’s about a maximum amount of the fine which will be applicable to the most serious violation.”

Bruno Gencarelli was at pains to emphasise that the European Commission firmly believes in the principle of proportionality and the level of fines imposed will be based on a catalogue of factors that will include:

  • duration of the data breach
  • seriousness of the data breach
  • negligence or intention
  • nature of the violation
  • impact on users
  • other factors

One Stop-Shop

This is one of the jewels in the crown of GDPR and clearly the European Commission sees this as being fundamental in terms of enforcement and supervision that sits alongside its strategy for the digital single market and the Charter of Fundamental Rights.

What’s now proposed is a two-level structure that provides the benefit of proximity for complainants against organisations and companies by recourse to their own Data Protection Authority (DPA) and the courts as well as making it easier to launch a cross-border complaint by reference to a single adjudication body (the lead DPA body of the main establishment).

In this new regime, both bodies will need to agree on the interpretation of the GDPR rather than having diametrically opposed interpretations that would negate the operation of a one-stop shop mechanism.

“The one-stop shop has become more congruent and more consistent in interpretation and application of EU data protection laws throughout the EU and this is good in terms of legal certainty,” explains Bruno Gencarelli.

The European Commission view is that the one-stop shop is more effective in the protection of users’ rights and this appears to have gained consensus within the European Parliament and the Council of Ministers.

“Originally, we had the idea of concentrating the decision making power with the Supervisory Authority of the main establishment and probably that was too simplistic.

“There were a number of very valid observations made and in particular we had to sufficiently take into account the specific fundamental rights and the nature of data protection afforded to the individual.

“So when a data subject lodges a complaint they may have with a data controller or data processor, they should be able to go to their domestic DPA but also the domestic court.

“Negotiations around the one-stop shop mechanism took a while and were debated in detail by the Council where it was important to strike the right balance and for having the ability to adjudicate on cross-border cases with one interpretation of the data protection rules.

“Although the UK may have had certain reservations about the one-stop shop principle, we are very satisfied with the compromise that’s been reached that safeguards the level of proximity for a remedy in particular when the complaint of an individual is rejected and therefore a decision has a negative impact on that individual.

“At the same time, the one-stop shop maintains our main objective of having one interpretation of the GDPR in cross-border cases and I would say it even reinforces it.

“This sort of co-decision between the adjudication bodies won’t be based on the creation of a new body but on a better functioning of what already exists.

“It will strengthen the co-operation of DPAs within the framework of the Article 29 in a more structured and legally robust way,” observes Bruno Gencarelli.

GDPR is therefore likely to reflect the following mechanism for one-stop shop:

  • when the decision involve measures to be taken vis-a-vis the control of the processor, the imposition of a fine, injunction or to put an end to certain processes, then that decision is jointly agreed and will be formally adopted by the DPA of the main establishment
  • when the jointly agreed decision has a negative impact on the individual by rejecting their complaint, it will be adopted by the local DPA and in that way it ensures that the decision can be challenged before a domestic court of the complainant.

Given this additional safety value, the European Commission feel that the Data Protection Board wouldn’t have to intervene except in a relatively few cases.

“Where the local DPA isn’t able to reach agreement with DPA for the main establishment, then the matter will be referred to European Data Protection Board (EDPB) and that decision will be binding on all parties. And this is a legally more robust position under the Fundamental Rights Charter perspective,” adds Bruno Gencarelli.

Consensus reached?

According to the European Commission, although some points remain to be agreed, the vast majority of the GDPR has reached a stage of consensus in terms of the viewpoints of the European Parliament, Council and the Commission.

“I think the all the basic elements for an agreement are now in place and there’s definitely consensus around the main foundation of the future system – an EU Regulation, a one-stop shop, an ex-post system of control to a greater extent unaccountability and more effective enforcement on a broader geographical scope. In all of these elements we see consensus,” explains Bruno Gencarelli.

Two-year transition period

On the basis that trilogue agreement is reached in November 2015, this isn’t the end of the matter until 2017. “In a sense reaching agreement in 2015 isn’t the end point. The two-year transition period will be useful to do a number of things and also because we have a change of governance and moving forward we’ll need to agree institutional issues including the future of the European Data Protection Board and its role within the new regime.

“The EU Regulation is a skeleton of the principles for the future of data protection and privacy within the EU and over the next two years a lot of meat will need to be put on the bones of GDPR,” concludes Bruno Gencarelli.


Leave a reply