The new General Data Protection Regulation had a long history. It was maybe the regulation which attracted the biggest number of amendments in the Parliament and was one of those which were subject of the longest and most complicated negotiations. The EU regulations under the ordinary legislative procedure have to be approved by both the Parliament and the Council. There are several rounds until an agreement is found or a regulation is finally failing to be approved.
The negotiations centred around some new elements of the regulation, like the „one stop shop”, the possibility of a person and a company to have to deal only with one data protection authority (and the two, namely the one stop shop for a company and a person whose data that company uses, may be contradictory in an international setting), the extent of penalties, the liberty of member states to regulate further and the liberty of public services compared to economic actors in using personal data. The new concepts, „the right to be forgotten”, the concepts of „privacy by design” and „privacy by default” and mainly the „data portability” were also subject to long discussion concerning their definition, scope and practical applicability. The mechanical duty of notification to the data protection authority (which was actually required to a different extent in different countries) has given way in a lot of cases to a preliminary impact assessment.
I try to highlight here some of these aspects, comparing what the Council wanted (it published its position with a concrete text of the regulation the 24th February 2014) with the final text.
The final regulation contains 173 recitals which fix the main principles and considerations (and serve as a guidance concerning the „intention of the legislator” if interpretation of the text is needed).
First let’s examine the freedom of manoeuvre given to the member states:
In the Council position, the member states wanted to have the power to legislate ignoring some requirements if data are processed by public authorities. The new regulation frames this liberty: „Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.” Member state law can set out the circumstances for specific situations, „determining more precisely the conditions under which the processing of personal data is lawful”. This right extends also to processing of special categories of personal data (‘sensitive data’), i.e. data related to health, sexual orientation, religion, political views, membership in trade unions and similar data.
The regulation is not applicable for „activities which fall outside the scope of Union law, such as activities concerning national security” and also „when carrying out activities in relation to the common foreign and security policy of the Union”.
The most important exception is the „processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act... namely Directive (EU) 2016/680 of the European Parliament and of the Council”. If these authorities process data in the framework of other activities, the regulation is however applicable. An exemption for fraud prevention and detection, including tax evasion is also included in the regulation.
Limits to data portability were set in the new regulation: it „should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.”
A point in favour of economic actors – and deviating from the spirit of the old directive – was that direct marketing could be considered as legitimate interest. The new regulation formulated some limiting conditions to that: „the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”
The impact assessment requirement was also sensitively limited to circumstances „where processing operations are likely to result in a high risk to the rights and freedoms of natural persons”. The result of this assessment will then determine whether consultation of the data protection authority is necessary (which was obligatory under the old regime for all processing operations involving „sensitive data”.
Special simplified requirements are applicable to small companies, and special codes of conduct can be issued by member states for these enterprises. In this the Council succeeded to make its position accepted.
Following the Schrems case, where the adequacy decision of the Commission about the Safe harbour agreement – which declared that persons have equivalent protection to that ensured by European legislation if their data are processed in the U.S. – was invalidated, the new regulation sets more precise conditions when the Commission can take such a decision.
The „one stop shop” , i.e. the possibility of persons to turn to one competent authority – preferably the one in their country - to deal with their complaints was also given precise conditions and the process described. There will be a “lead authority”, competent for the organisation processing the data, and other „concerned authorities” (among them the one with whom the complaint was lodged). Cooperation obligations are described. What is left from the power of the authority with whom the complaint was lodged is that „where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.”
The Commission will participate in the new Data Protection Board's activities (which, as opposed to the solely consultative nature of its predecessor, the so-called „Article 29 working party” of national data protection authorities, can take binding decision (but these decisions are not binding on the European Data Protection Supervisor, who is the Data Protection Authority for EU institutions – this may change with the forthcoming regulation about processing of personal data in EU institutions which is now under preparation and should enter into force at the same time, i.e. May 2018, when the new GDPR enters into force) without voting rights and the European Data Protection Supervisor should have specific voting rights.
The amount of penalties and fines was fixed as a maximum of 4% (the Parliament proposed 5%) of turnover of the company infringing the rules but for certain offences only to 2%.
Specific rules for associations, in particular religious associations are also fixed.
There are of course a number of other changes compared to the system in force now, but here I only wanted to deal with some topics which were subject to discussion between the Commission (who prepared the original proposal), the Parliament (more prone to the interest of harmonisation and the fundamental rights of citizens – the rapporteur came from the Green faction) and the Council, representing more the interest of public administrations and enterprises.