In case you missed it over the last week or so it has been confirmed that the European Council have agreed a text of the Draft EU Data Protection Regulation. You would think that would be the final stage but alas no. Instead we now present this version back to the Commission & Parliament for tri-partide discussion and agreement. This really is the final stage of the legal process in which the Council, the EU Parliament and the EU Commission will now negotiate on this document to agree a final text that can become law (promise… it really is the last stage).
However, in typical governmental fashion of not being able to do anything smoothly 2 versions were ‘released’. One is the text of the Council of Minister’s final text agreed on June 15th: Council of Ministers text minus objections from Member States.
The other was a copy of the text of the Council of Minister’s final text agreed on June 15th including the 649 paragraphs of ‘disagreements’ from the member states (oops). Council of Ministers text plus objections from Member States
There is still some discussion to be had however and in the comments version the Council acknowledges this. First up, with regards to police processing of personal data the regulation now includes as a purpose for processing “safeguarding against and the prevention of threats to public security”. Which, at face value, seems rather wide and “loose” in its wording. We all know that defining a “threat to public security” can be open to various interpretations therefore this may meet with some stiff opposition.
The Council has also said that there needs to be some discussion around the “lawfulness of processing” under Article 6 recital (40 and Article 19 (1). The Council is looking to approve final wording on legitimacy of processing data that is incompatible with the original purpose for which it was collected. The current proposal looks to allow such processing but as a condition allows the data subject a means to legitimately object. Again, how this will work in the real world is open to interpretation but given that this is a move away from the current Directive’s standards then it will be interesting to see if the Council and Parliament accept that.
The Council also appears to be looking for further discuss on the right to compensation and liability outlined in Article 77 and recitals (112), (113a), (118), (118b). The current proposal clarifies the roles and liabilities for processing that is not compatible with the regulation. Namely it is looking to narrow the extent of liability for a processor or controller where it can be demonstrated that the controller or processor concerned is not fully liable (IE, it can be clearly demonstrated that it wasn’t their fault). It makes sense but again, how that will go down with the Parliament and Commission will be interesting.
I’ve now had the chance to read through this updated text and in short it smells an awful lot like a beefed up Directive. A lot of the stricter wording that was in the initial draft proposed by the Commission & indeed the Parliament draft have been replaced with general expectations, the finer details of which member state law or local codes of practice are encouraged to work out. Some of the aspects of the regulation even invite member states to write complimentary laws so that those sections can be properly enacted within that member state. (I’m sure that’s the purpose of a Directive you know…).
Here’s a quick summary for you;
- Member states can create their own laws on conditions for processing certain types of data (national ID numbers for example). (Article 9 (5)). This also extends to the conditions for processing HR data which can be defined by local member state work agreements.
- Member states can decide if fines are to be used on public sector bodies.
- Article 79a – Fines of up to 250,000 euros or 0.5% of previous year global annual turnover for deliberate or negligent breaches & not responding to SARs.
- Article 79a – Fines of up to 500,000 euros or 1.0% of previous year global annual turnover for any of the above or;
- Does not provide information in a timely manner to a data subject
- Does not provide access or rectify data belonging to the data subject
- Does not erase personal data belonging to the data subject
- Processing data in violation of an restrictions on processing outlined in article 17 (Notification obligation regarding rectification, erasure or restriction).
- Does not communicate any rectification, erasure or restriction requests to 3rd parties
- Does not provide the data subject with their personal data.
- Processing of data of objection to processing received and no viable reason for legitimate processing.
- Does not provide data subject with information about the right to object to processing of information for marketing purposes.
- Does not sufficiently determine responsibilities of joint controllers.
- Does not maintain sufficient documentation pursuant to Articles 28 (Records of categories of personal data processing activities) & 34 (Prior consultation).
- Article 79a – Fines of up to 1,000,000 euros or 2.0% of previous year global annual turnover for any of the above or;
- Processes information without a legal basis for doing so or does not obtain appropriate consent.
- Does not comply with conditions for automated decision making & profiling.
- Does not implement measure to demonstrate compliance with articles 22 (Obligations of the controller) and 30 (Security of processing).
- Does not designate a representative in violation of Article 25 (Representatives of controllers not established in the Union).
- processes or instructs the processing of personal data in violation of Articles 26 (Processor).
- does not alert on or notify a personal data breach or does not [timely or] completely notify the data breach to the supervisory authority or to the data subject in violation of Articles 31 (Notification of a personal data breach to the supervisory authority) and 32 (Communication of a personal data breach to the data subject).
- does not carry out a data protection impact assessment in violation of Article 33 (Data protection impact assessment) or processes personal data without prior consultation of the supervisory authority in violation of Article 34(2) (Prior consultation).
- misuses a data protection seal or mark in the meaning of Article 39 (Certification) or does not comply with the conditions and procedures laid down in Articles 38a (Monitoring of approved codes of conduct) and 39a (Certification body and procedure).
- carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44 (Transfer of Personal Data to third countries or international organisations).
- does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 53 (1b) or does not provide access in violation of Article 53(1) (Powers).
- Article 38 – Member states can create their own codes of practice and standards for data protection for specific sectors. This need approval by the EU Data Protection Board but can be developed per member per sector.
- Article 54a – One stop shop concept for regulatory action and complaint handling amongst supervisory authorities remains.
- Article 12 – Removal of charging for SARs remains.
- Article 70 – Removal of need to register all processing of personal data remains but instead only high risk processing must be registered (at no charge) and will be published by the supervising authority.
- Data portability now does not apply to the public sector or any processing for the enactment of a contract. (General Text, paragraph 55)
- Article 31 – Breach notification to a supervisory authority is now 72 hours or “without undue delay” if longer than that period.
This Regulation is as close to a final version as we are going to get for the moment. As we’ve seen in recent weeks and months the majority of Data Protection regulators and even the EU Commission are saying that elements of the Regulation should start to be implemented from this point onwards (e.g. Netherlands are implementing a general DP breach notification law from next year). Some are even using the principle of the Regulation in the interpretation of current law (the ‘right to be forgotten’ for example).
I intend to do a few more articles over the coming weeks to look in more detail at some of the wording and what this could mean if the Parliament and Commission accept the current draft (which is a realistic possibility).