On 15 and 16 June 2015, the Justice Ministers of the 28 Member States of the European Union ("EU") met in Luxembourg for a Justice and Home Affairs Council. One of the objectives of the meeting was to adopt a general approach on the much-awaited General Data Protection Regulation ("GDPR") that will govern the protection of personal data across the EU. More than a year since the EU Parliament adopted its amendments on the text on 12th March 2014, the Council of Ministers has now adopted its own amendments to the draft GDPR.
From a procedural point of view, this is a big step forward because it will enable the three European legislative bodies (namely the European Commission, the European Parliament and the Council of Ministers) to officially enter into a trilogue discussion with a view to reaching a common position on the proposed text. This is by no means the final adoption of the GDPR (see my previous article for a more detailed explanation of the European legislative procedure) but it does mean that the legislative process will now enter into a new phase.
In terms of timing, we can expect the review of the GDPR to continue at a faster pace. A few days ago, the European Parliament published a "data protection reform timetable" proposing dates for the trilogue meetings, which are scheduled to begin on June 24th with the goal of reaching a final agreement on the GDPR by the end of 2015. While possible, this timing seems quite ambitious, given that many EU officials will soon be leaving for the summer vacation and the European Parliament and the Council of Ministers must still agree on some contentious points, such as the rights of individuals, international data transfers, administrative fines and the one-stop shop mechanism. Therefore, the time it will take for the GDPR to be adopted will depend largely on the EU Commission's ability to negotiate a common position that is agreed upon by all three parties.
Meanwhile, here is a selection of some of the key provisions that were adopted by the Council:
- Territorial scope: the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU and to the processing of personal data of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to 1) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the EU; or 2) the monitoring of their behaviour as far as their behaviour takes place within the EU.
- Consent: one of the legal conditions for processing personal data is where the data subject has given unambiguous consent to the processing of personal data for one or more specific purposes. The data subject's consent must be explicit for the processing of sensitive data. Also, the holder of parental responsibility must give consent where a minor's personal data are collected in the context of information society services.
- One-stop shop rule: the Data Protection Authority ("DPA") of the country where the controller or processor has its main establishment or single establishment is competent to act as a lead DPA on transnational processing matters, notwithstanding the competence of each DPA to handle an infringement which involves either an establishment of the controller/processor, or individuals, in their respective jurisdictions. Where the lead DPA chooses to deal with the case, it must take into account the draft decision provided by any other competent DPA. The lead DPA also has a duty to cooperate with, and provide mutual assistance to, the other DPAs concerned (i.e., DPA of the country where the controller is established, or where individuals are concerned by the processing, or where a complaint has been filed). When taking a decision against a controller or processor, the lead DPA must communicate the relevant information on the matter to the other concerned DPAs and consult them on a draft decision. Once the DPAs agree on the decision, it is notified to the controller or processor.
- Data security: data controllers and processors have an obligation to implement appropriate technical and organisational measures, such as pseudonymisation of personal data to ensure a level of security appropriate to the risk. Such measures must take into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risk for the rights and freedoms of individuals.
- Data security breach notification: data controllers have an obligation to notify the competent DPA within 72 hours and the data subjects without undue delay, where a personal data breach is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage. Data processors are also obliged to notify their customers (i.e., controllers) without undue delay after becoming aware of a personal data breach.
- International data transfers: transfers of personal data outside the European Economic Area ("EEA") are prohibited, unless the European Commission has adopted an adequacy decision applicable to the third country of region, or a legal derogation applies, or the controller or processor adduces adequate safeguards, such as: 1) Binding Corporate Rules (BCR); 2) standard contractual clauses adopted by the EU Commission or a DPA; or 3) an approved code of conduct or certification mechanism which includes binding and enforceable commitments of the controller or processor to apply the appropriate safeguards in the third country. The EU Commission and national DPAs must also develop international co-operation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data and provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms.
- Right to erasure and "to be forgotten": data controllers must erase personal data without undue delay where: 1) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; 2) the data subject withdraws consent for the processing of personal data; 3) the data subject objects to the processing of personal data; 4) the data were unlawfully processed; 5) a law requires the controller to erase the data. In relation to information society services, individuals may also obtain the erasure of their data without undue delay, within the limits of 1) freedom of expression and information; 2) legal obligations applicable to the controller; 3) public interest; 4) scientific, statistical and historical archiving; and 5) the establishment, exercise or defence of legal claims.
- Data protection officer: data controllers and processors may appoint a data protection officer, unless it is legally required under national law.
- Codes of conduct and certification: Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of provisions of the GDPR, such as the legitimate interests pursued by controllers in specific contexts or measures and procedures aimed at protecting personal data.
- Enforcement and fines: in case of a violation of the GDPR, DPAs have the power to impose fines that can go up to €1 million or up to 2% of the global annual turnover of a company depending on the seriousness of the breach, the intentional or negligent character of the infringement, and the actions taken by the controller or processor to mitigate the damage caused to individuals.