The new General Data Protection Regulation had a long history. It was
maybe the regulation which attracted the biggest number of amendments in the
Parliament and was one of those which were subject of the longest and most
complicated negotiations. The EU regulations under the ordinary legislative
procedure have to be approved by both the Parliament and the Council. There are
several rounds until an agreement is found or a regulation is finally failing
to be approved.
The negotiations centred around some new elements of the regulation,
like the „one stop shop”, the possibility of a person and a company to have to
deal only with one data protection authority (and the two, namely the one stop
shop for a company and a person whose data that company uses, may be
contradictory in an international setting), the extent of penalties, the
liberty of member states to regulate further and the liberty of public services
compared to economic actors in using personal data. The new concepts, „the
right to be forgotten”, the concepts of „privacy by design” and „privacy by
default” and mainly the „data portability” were also subject to long discussion
concerning their definition, scope and practical applicability. The mechanical
duty of notification to the data protection authority (which was actually
required to a different extent in different countries) has given way in a lot
of cases to a preliminary impact assessment.
I try to highlight here some of these aspects, comparing what the
Council wanted (it published its position with a concrete text of the
regulation the 24th February 2014) with the
final text.
The final regulation contains 173 recitals which fix the main principles
and considerations (and serve as a guidance concerning the „intention of the
legislator” if interpretation of the text is needed).
First let’s examine the freedom of manoeuvre given to the member states:
In the Council position, the member states wanted to have the power to
legislate ignoring some requirements if data are processed by public
authorities. The new regulation frames this liberty: „Regarding the processing
of personal data for compliance with a legal obligation, for the performance of
a task carried out in the public interest or in the exercise of official
authority vested in the controller, Member States should be allowed to maintain
or introduce national provisions to further specify the application of the
rules of this Regulation.” Member state law can set out the circumstances for
specific situations, „determining more precisely the conditions under which the
processing of personal data is lawful”. This right extends also to processing
of special categories of personal data (‘sensitive data’), i.e. data related to
health, sexual orientation, religion, political views, membership in trade
unions and similar data.
The regulation is not applicable for „activities which fall outside the
scope of Union law, such as activities concerning national security” and also
„when carrying out activities in relation to the common foreign and security
policy of the Union”.
The most important exception is the „processing of personal data by
competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to
public security and the free movement of such data, is the subject of a
specific Union legal act... namely Directive (EU) 2016/680 of the European
Parliament and of the Council”. If these authorities process data in the
framework of other activities, the regulation is however applicable. An exemption
for fraud prevention and detection, including tax evasion is also included in
the regulation.
Limits to data portability were set in the new regulation: it „should
apply where the data subject provided the personal data on the basis of his or
her consent or the processing is necessary for the performance of a contract.
It should not apply where processing is based on a legal ground other than
consent or contract. By its very nature, that right should not be exercised
against controllers processing personal data in the exercise of their public
duties. It should therefore not apply where the processing of the personal data
is necessary for compliance with a legal obligation to which the controller is
subject or for the performance of a task carried out in the public interest or
in the exercise of an official authority vested in the controller. The data
subject's right to transmit or receive personal data concerning him or her
should not create an obligation for the controllers to adopt or maintain
processing systems which are technically compatible.”
A point in favour of economic actors – and deviating from the spirit of
the old directive – was that direct marketing could be considered as legitimate
interest. The new regulation formulated some limiting conditions to that: „the
data subject should have the right to object to such processing, including
profiling to the extent that it is related to such direct marketing, whether
with regard to initial or further processing, at any time and free of charge.
That right should be explicitly brought to the attention of the data subject
and presented clearly and separately from any other information.”
The impact assessment requirement was also sensitively limited to
circumstances „where processing operations are likely to result in a high risk
to the rights and freedoms of natural persons”. The result of this assessment
will then determine whether consultation of the data protection authority is
necessary (which was obligatory under the old regime for all processing
operations involving „sensitive data”.
Special simplified requirements are applicable to small companies, and
special codes of conduct can be issued by member states for these enterprises.
In this the Council succeeded to make its position accepted.
Following the Schrems case,
where the adequacy decision of the Commission about the Safe harbour agreement
– which declared that persons have equivalent protection to that ensured by
European legislation if their data are processed in the U.S. – was invalidated,
the new regulation sets more precise conditions when the Commission can take
such a decision.
The „one stop shop” , i.e. the possibility of persons to turn to one
competent authority – preferably the one in their country - to deal with their
complaints was also given precise conditions and the process described. There
will be a “lead authority”, competent for the organisation processing the data,
and other „concerned authorities” (among them the one with whom the complaint
was lodged). Cooperation obligations are described. What is left from the power
of the authority with whom the complaint was lodged is that „where the decision
is to reject the complaint by the data subject in whole or in part, that
decision should be adopted by the supervisory authority with which the
complaint has been lodged.”
The Commission will participate in the new Data Protection Board's
activities (which, as opposed to the solely consultative nature of its
predecessor, the so-called „Article 29 working party” of national data
protection authorities, can take binding decision (but these decisions are not
binding on the European Data Protection Supervisor, who is the Data Protection
Authority for EU institutions – this may change with the forthcoming regulation
about processing of personal data in EU institutions which is now under
preparation and should enter into force at the same time, i.e. May 2018, when
the new GDPR enters into force) without voting rights and the European Data
Protection Supervisor should have specific voting rights.
The amount of penalties and fines was fixed as a maximum of 4% (the
Parliament proposed 5%) of turnover of the company infringing the rules but for
certain offences only to 2%.
Specific rules for associations, in particular religious associations
are also fixed.
There are of course a number of other changes compared to the system in
force now, but here I only wanted to deal with some topics which were subject
to discussion between the Commission (who prepared the original proposal), the
Parliament (more prone to the interest of harmonisation and the fundamental
rights of citizens – the rapporteur came from the Green faction) and the
Council, representing more the interest of public administrations and
enterprises.