What happened to CETA?

Now that the CETA free trade deal is signed between the EU and Canada, one can investigate without the dramatic overtones what happened.
First, the European Commission promised - in a reaction to protests, some of which also saw CETA as a trojan horse to the TTIP - that CETA will be submitted to national parliaments for approval. Voices were heard already before that one way of giving legitimacy to the European political process could be to submit European decisions - mainly legislation - to national parliaments. It has to be known that the Lisbon treaty already foresees a right of protestation for national parliaments (see for example: https://www.researchgate.net/publication/271649945_After_Lisbon_National_Parliaments_in_the_European_Union or

http://www.europarl.europa.eu/the-secretary-general/resource/static/files/Documents%20section/SPforEP/Consultation_with_national_parliaments.pdf)

Draft legislative acts sent to the European Parliament and to the Council shall be forwarded to national Parliaments (each parliament has two votes, if they are bicameral, each chamber holds one vote and it is up to the national Parliaments to consult the regional Parliaments - this is a duty by Belgian law). They may send a reasoned opinion the Presidents of the European Parliament, the Council and the Commission why they consider that the draft in question does not comply with the principle of subsidiarity Where these opinions represent at least one third (in the area of the area of freedom, security and justice, one quarter) of all national Parliaments the draft must be reviewed. If half of the national parliaments  protests, the Commission has to justify why it does not change the proposal. These opinions will be submitted to the European Parliament and the Council.
(Article 12 and Protocols 1 and 2 to the Treaty on the European Union.)

The EU has an exclusive right to sign trade agreements with third countries. If, however, an agreement is covering topics other than trade, this prerogative can be questioned. An analysis can be found here: A guide to EU procedures for the conclusion of intl. trade agreements.pdf
Thus, the Commission decided that the CETA will be submitted to national Parliaments for approval (it contains among others a mechanism for settling investment disputes. This system was subject to heated debates (although independent investment dispute resolution mechanisms already exist, like the MIGA associated to the World Bank. Left-wing groups, however,  were weary of the perspective that their state could be sued in front of a private court. The mechanism (both in CETA and in the future TTIP) has been improved but this was not enough for the protesters.

And so came that one regional Parliament of Belgium, that of socialist Wallonia, rejected the CETA. One small region (in a country having maybe the most complex political system in Europe, where the Flemish part would greatly profit from free trade while the French-speaking Wallon part's economy is ailing) almost torpedoed the deal of whole Europe - this caused a brouhaha abroad and frustrated the Canadian trade minister Chrystia Freeland (she was even said to be choking back tears - http://www.bbc.com/news/world-europe-37735409).

The background is more in Belgium's internal politics: "The reason why the Walloon Region is trying to block or at least delay the CETA is political only. The Belgian federal government is run by the right wing whereas the Walloon Region is dominated by the socialists. The problem for the Walloon socialists is that there are losing ground to the extreme left. Hence, it is critical for them to show that they are fighting the CETA whose benefits would only to large multinational corporations. All this fuss about the CETA has thus to be seen in the context of Belgian politics. Belgium has an extremely open economy and exports much more than it imports. We are net beneficiaries of free trade." says Damien Geradine, Founding Partner of EDGE | Legal Thinking, a Brussels-based boutique law firm specialized in EU competition law and intellectual property law and Professor of Competition Law & Economics at Tilburg University (the Netherlands) and at George Mason University School of Law (Washington, DC).

Anybody who followed the ups and downs while Belgium tried to form a government after recent elections (not just one but the last two anyway), can understand this.

The Commission finally succeeded to convince the Wallons to approve the deal. This is not the first time that  a vote first hindering EU actions is repeated  - it happened to Denmark on the Maastricht Treaty, Ireland on the Nice Treaty and Ireland again on the Lisbon Treaty. The Dutch and French no to the Constitutional treaty of the EU was accepted, but the project restarted and resulted in the (somewhat weaker and legally more complex but less strong) Lisbon treaty. It was, however, not just repeating the votes, the situation or the arguments have also changed, as explained in http://blogs.lse.ac.uk/europpblog/2015/10/19/asking-the-public-twice-why-do-voters-change-their-minds-in-second-referendums-on-eu-treaties/
There are two questions lingering: Will the Brexit vote also be repeated? What will happen to the TTIP? The latter question may be irrelevant, given that the TTIP faces much more resistance and that enthusiasm for it may fade in the U.S., too, if not already faded - and neither of the two presidential candidates is eager on it. No question that with Trump, we may bury it entirely but Clinton also treads carefully on it. 

What changed in the new General Data Protection Regulation since the first position of the Council?

The new General Data Protection Regulation had a long history. It was maybe the regulation which attracted the biggest number of amendments in the Parliament and was one of those which were subject of the longest and most complicated negotiations. The EU regulations under the ordinary legislative procedure have to be approved by both the Parliament and the Council. There are several rounds until an agreement is found or a regulation is finally failing to be approved.

The negotiations centred around some new elements of the regulation, like the „one stop shop”, the possibility of a person and a company to have to deal only with one data protection authority (and the two, namely the one stop shop for a company and a person whose data that company uses, may be contradictory in an international setting), the extent of penalties, the liberty of member states to regulate further and the liberty of public services compared to economic actors in using personal data. The new concepts, „the right to be forgotten”, the concepts of „privacy by design” and „privacy by default” and mainly the „data portability” were also subject to long discussion concerning their definition, scope and practical applicability. The mechanical duty of notification to the data protection authority (which was actually required to a different extent in different countries) has given way in a lot of cases to a preliminary impact assessment.

I try to highlight here some of these aspects, comparing what the Council wanted (it published its position with a concrete text of the regulation the 24th February 2014) with the final text.

The final regulation contains 173 recitals which fix the main principles and considerations (and serve as a guidance concerning the „intention of the legislator” if interpretation of the text is needed).

First let’s examine the freedom of manoeuvre given to the member states:

In the Council position, the member states wanted to have the power to legislate ignoring some requirements if data are processed by public authorities. The new regulation frames this liberty: „Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.” Member state law can set out the circumstances for specific situations, „determining more precisely the conditions under which the processing of personal data is lawful”. This right extends also to processing of special categories of personal data (‘sensitive data’), i.e. data related to health, sexual orientation, religion, political views, membership in trade unions and similar data.

The regulation is not applicable for „activities which fall outside the scope of Union law, such as activities concerning national security” and also „when carrying out activities in relation to the common foreign and security policy of the Union”.

The most important exception is the „processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act... namely Directive (EU) 2016/680 of the European Parliament and of the Council”. If these authorities process data in the framework of other activities, the regulation is however applicable. An exemption for fraud prevention and detection, including tax evasion is also included in the regulation.

Limits to data portability were set in the new regulation: it „should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.”

A point in favour of economic actors – and deviating from the spirit of the old directive – was that direct marketing could be considered as legitimate interest. The new regulation formulated some limiting conditions to that: „the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

The impact assessment requirement was also sensitively limited to circumstances „where processing operations are likely to result in a high risk to the rights and freedoms of natural persons”. The result of this assessment will then determine whether consultation of the data protection authority is necessary (which was obligatory under the old regime for all processing operations involving „sensitive data”.

Special simplified requirements are applicable to small companies, and special codes of conduct can be issued by member states for these enterprises. In this the Council succeeded to make its position accepted.

Following the Schrems case, where the adequacy decision of the Commission about the Safe harbour agreement – which declared that persons have equivalent protection to that ensured by European legislation if their data are processed in the U.S. – was invalidated, the new regulation sets more precise conditions when the Commission can take such a decision.

The „one stop shop” , i.e. the possibility of persons to turn to one competent authority – preferably the one in their country - to deal with their complaints was also given precise conditions and the process described. There will be a “lead authority”, competent for the organisation processing the data, and other „concerned authorities” (among them the one with whom the complaint was lodged). Cooperation obligations are described. What is left from the power of the authority with whom the complaint was lodged is that „where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.”

The Commission will participate in the new Data Protection Board's activities (which, as opposed to the solely consultative nature of its predecessor, the so-called „Article 29 working party” of national data protection authorities, can take binding decision (but these decisions are not binding on the European Data Protection Supervisor, who is the Data Protection Authority for EU institutions – this may change with the forthcoming regulation about processing of personal data in EU institutions which is now under preparation and should enter into force at the same time, i.e. May 2018, when the new GDPR enters into force) without voting rights and the European Data Protection Supervisor should have specific voting rights.

The amount of penalties and fines was fixed as a maximum of 4% (the Parliament proposed 5%) of turnover of the company infringing the rules but for certain offences only to 2%.

Specific rules for associations, in particular religious associations are also fixed.

There are of course a number of other changes compared to the system in force now, but here I only wanted to deal with some topics which were subject to discussion between the Commission (who prepared the original proposal), the Parliament (more prone to the interest of harmonisation and the fundamental rights of citizens – the rapporteur came from the Green faction) and the Council, representing more the interest of public administrations and enterprises.