Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Member states could have limited freedom to scope out data protection public sector rules, EU Commissioner says


The UK and other EU member states could be given limited freedom to write their own laws affecting data protection in the public sector, the EU's Justice Commissioner has said.

In a speech Viviane Reding said that the European Commission's draft General Data Protection Regulation could be amended to provide "more flexibility" around data protection in the public sector.

"Specific rules for the public sector are necessary in some cases: think for example of a land registry which should be public," Reding said. "I believe we can have more flexibility – but this is something we can achieve within the Regulation. In fact, the Commission's draft already foresees 20 cases in which the rules are adapted for the public sector."

"I am prepared to introduce further flexibility in the legislation, provided it does not run against the objectives of achieving a more harmonised legal environment. I believe it should be possible for Member States to adopt laws which further specify how the Regulation is to be applied in specific areas of the public sector. But one thing is clear: there can be no general exemption for the public sector. We must remember that the fundamental right to data protection applies as much to the public sector as it does to the private," the Commissioner added.

Currently EU member states have data protection laws which differ one from another. This is as a consequence of the way those countries have implemented the 1995 Data Protection Directive into national laws. The wording of EU Directives does not have to be precisely copied into national laws.

However, the Commission has described the current data protection regime in the EU as fragmented and outdated and has pressed for reforms that bring the rules up-to-date with advancements in technology.

In January the European Commission published a draft General Data Protection Regulation which would, if enacted, introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules.

Under the proposed reforms the European Commission would be able to draft a series of "implementing" or "delegating" acts in order to provide more detail on the precise workings of some of the measures included in the Regulation text.

However, Reding indicated that she may be willing to drastically cut the ability of the Commission to set out rules through the two "Commission empowerments".

"The Regulation lays out basic rules and principles, ready to be applied and enforced," Reding said. "Delegated and implementing acts ensure that if, in practice, more specific rules are necessary, they can be adopted without going through a long legislative journey."

This does not mean giving a 'blank cheque' to the Commission. I am open to review the delegated acts one by one, together with the Member States, and to limit them to only what is truly necessary to keep the regulation sufficiently open to future technological developments. But we need a method based on clear criteria for this review, including the need to avoid fragmentation, the need to supplement rather than amend the regulation and maintaining the technologically neutral character of the law. The application of these criteria could lead to a reduction of the Commission empowerments by up to 40%," she said.

Reding also said that she was aware of concerns about "the possible administrative burden for companies" that it is perceived in many quarters that the proposed new data protection framework would create. She said she had made "concrete proposals" to EU Justice Ministers "to reduce" the perceived burdens and suggested organisations that process relatively little non-sensitive personal data may be exempt from some of the requirements set out in the draft Regulation.

"Our goal is certainly not to impose a bigger burden, and that is why SMEs are already exempt from some requirements, like having a Data Protection Officer," she said. "It has never been the Commission's intention to apply the same rules to the small hairdresser as to a multinational; I have ... told Member States that the Commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed."

"But let's be frank: we should not fall into the trap of some lobbyists expressing concerns for SMEs but in fact referring to provisions relevant for large multinational firms," she added.

Reding said that she is "confident" that a "political decision" will be able to be made on the issues of public sector flexibility, administrative burdens and on the Commission's power to introduce delegated and implementing acts next month. It is further hoped that a "political agreement on the reform package" can be obtained by the middle of next year, she added.

"It is crucial that we deliver data protection laws that are fit for the 21st century and that we do so without delay," Reding said. 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.