At a meeting of the Justice and Home Affairs, part of the EU Council of Ministers that took place on 4-5 December 2014, the forthcoming EU General Data Protection Regulation took a further step to becoming adopted across all 28 EU Member States.
The meeting, attended by Chris Grayling, Lord Chancellor and Teresa May, Home Secretary and chaired by Andrea Orlando, Italian Minister of Justice and President of the Council marks a tipping point in the harmonization of data protection laws across all 28 EU Member States.
At that meeting, the EU Council of Ministers gained partial consensus on two important and inter-related points with respect to data security and protection that sits at the heart of the proposed EU Regulation: a general EU framework for data protection and a ‘one-stop shop’ (OSS) mechanism that can be used by data subjects in order to arrive at a supervisory decision in trans-national data protection breaches.
Partial agreement by EU Council of Ministers
The EU Council of Minister reached partial agreement on a general approach on specific aspects of the draft EU Regulation setting out a general EU framework for data protection.
This partial agreement on the general approach includes provisions that are crucial to the public sector (Article 1, Article 6, paragraphs (2) and (3), Article 21) as well as provisions relating to specific data processing situations as outlined in Chapter IX of the proposed EU Regulation.
In addition, the majority of the Council of Ministers agreed to the Italian Presidency proposal of a ‘one-stop shop’ (OSS) mechanism that data subjects can access in order to pursue their legal remedies in cases of important trans-national data protection breaches.
The technical architecture for dealing with data breaches and other issues under the EU Regulation will be ‘fast tracked’ in the coming months in order to get the technical aspects of this sorted out.
“One-stop shop” (OSS) to enforce regulation for major data breaches across EU
The objective of the OSS is to arrive at a single supervisory decision in instances of trans-national data breaches and this should be fast, ensure consistent application, provide legal certainty and reduce administrative burden. Many advocates of such an approach claim that this is a good example of balancing the need for a uniform approach for data controllers while providing remedies for data subjects.
“This is an important factor in enhancing the cost-efficiency of the data protection rules for international business and thus contributing to the growth of the digital economy,” adds the communique from the EU Council of Ministers.
From a UK perspective, the Information Commissioner’s Office (ICO) is likely to be closely involved as the decision-making supervisory authority as to whether enforcement action is brought against organisations and companies that are located in the UK but that have created a data protection breach across trans-national borders.
Proposed EU Regulation is now a step closer to being finalised
The proposed EU Regulation has taken a step closer to being finalised in 2015 and partially clearing these two hurdles that were once regarded as “insurmountable” is a clear indication of the appetite for getting on with the job of getting the EU Regulation out there once and for all.
Clearly the EU Council of Ministers needs to finalize its version of the draft EU Regulation before negotiations can enter their final stage but this latest partial agreement is another example of incremental progress that’s been made in the last 12 months.
Many in Europe, including those in Germany, France and Italy, see this forthcoming EU Regulation in the wider context of protecting fundamental human rights.
On 5 November 2014, the German Federal Commission for Data Protection Commissioner Andrea Voβhoff and the European Data Protection Supervisor (EDPS) Peter Histinx held a panel discussion in respect of the state of play and perspectives the forthcoming EU Regulation.
One of the panellist, Head of the Department for International Affairs at Italy’s Ministry of Justice, Stefano Mura reiterated that the proposed EU Regulation isn’t only a EU single-market issue.
“We need the highest affordable standard of fundamental rights,” said Mura with reference to Article 8 of the EU Charter of Fundamental Rights, which provides that everyone in the EU has the right to the protection of personal data.
This was particularly reflected in the controversial judgment of the European Court of Justice in the right to be forgotten case that specifically referenced this right in concluding that an individual could have a search engine listing removed where the material it linked to was no longer relevant.
This theme was developed further by Isabelle Falque-Pierrotin, President of the CNIL, the French Data Protection Authority and also chair of the Article 29 Working Party.
Falque-Pierrotin noted that the right to be forgotten judgment had shown that some of the ideas in the forthcoming EU Regulation were already being developed through the courts and this highlighted the urgency to get the EU Regulation agreed and to demonstrate to the world that Europe had a common standard in place and the regulatory powers to back it up.
Although the participants to the debate identified a number of key outstanding issues to be resolved prior to the conclusion of the reform, process, there was some optimism that such issues would be overcome and the process completed before the end of 2015.
Why this matters?
This is significant as the organiser of the debate, European Data Protection Supervisor (EDPS) is an independent supervisory authority whose members are elected by the European Parliament and the European Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the EU’s institutions and bodies.
The role of the EDPS includes, among other things, advising on privacy legislation and policies to the European Commission, the European Parliament and the European Council and working with other data protection authorities to promote consistent data protection across Europe.
Why 2015 could be the most important year for European marketers
The forthcoming EU Regulation has been discussed and debated in extraordinary detail by the European bureaucrats and it’s clear that public patience is wearing thin as existing data protection laws such as the Data Protection Act 1998 looks increasingly out-of-date as it’s no longer ‘fit for purpose’.
It’s clear that European laws have struggled to keep pace with technology changes that has impacted two fundamental rights – privacy and identity.
In the wake of the Snowden revelations, there’s increased public expectation for a uniform approach to European data protection, with calls for more sophisticated compliance tools and even stronger sanctions for those organisations and companies that transgress the new rules.
However it would be wrong for the EU Regulation to be rushed through in its final stages as consensus is required in its scope and approach in order to be effective and workable.
But that time has almost arrived.
Marketers should start NOW and follow best practice guidance given by the ICO ahead of the EU Regulation as much of the Regulation will be a codification of this guidance.
Not doing anything now is a recipe for disaster and simply creates a business continuity risk that can so easily be avoided.
The Council of Ministers is still reviewing the draft EU Regulation at a technical level and negotiations on the proposed text between the Council of Ministers and the European Parliament will only commence once the Council of Ministers is ready.
The earliest there could be agreement on the draft EU Regulation is likely to be the first six months of 2015 – and the expectation is that the revised data protection framework will be in place by mid-2017.