On Thursday, EU justice ministers gathered at a Council of Ministers meeting in Brussels to discuss plans for a new General Data Protection Regulation (GDPR). The ministers reached agreement on some parts of the GDPR (25-page / 358KB PDF), which was originally proposed by the European Commission in January 2012, on a "nothing is agreed until everything is agreed" basis. The ministers previously reached similar agreements on other areas of the GDPR.
However, there are major differences between EU countries on how they believe the planned new 'one stop shop' mechanism for regulating data protection should work.
During the debate, UK justice secretary Chris Grayling said the proposals drafted by the presidency of the Council of Ministers on the 'one stop shop' regime would, if they were introduced, bring about a regulatory framework that would be exactly opposite to the streamlined system that is desired.
The presidency has suggested that data protection cases could be handled in accordance with one of three regulatory systems depending on whether the cases are of a local nature, are cross-border cases which regulators can agree between them on how to handle, or are cross-border cases which regulators cannot agree on how to resolve.
Data protection expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said: "The problem with the presidency's proposals is that it creates the potential for satellite litigation on issues such as whether cases have been handled in accordance with the correct regulatory procedure. Such disputes would only serve to delay the outcome of cases which could simultaneously deny consumers of a right to swift remedies and businesses the legal certainty they need to innovate."
The idea of a 'one stop shop' mechanism for regulating data protection was contained within the Commission's original draft of the GDPR. The Commission wants to introduce a new framework which would avoid businesses having to engage with every national data protection authority (DPA) in each EU country that they process consumers' personal data. It wanted a new system which would allow businesses operating across the EU to answer to just one DPA – in general the one based in the country of its 'main establishment'.
The Commission's plans contained a consistency or cooperation mechanism to allow DPAs outside of a business' main establishment to have their say in cases where individuals in their jurisdiction are affected by the actions of that company. However, under those plans it would still fall to the lead authority to take regulatory action.
However, there has been stiff opposition to those plans by countries such as Germany. The opposition is based predominantly on the fear that businesses could engage in 'forum shopping' in relation to where they elect to base their main operations in the EU so as to avoid the strictest application of data protection rules by DPAs.
In addition, last year lawyers at the Council of Ministers warned that the 'one stop shop' regime, as envisaged by the Commission, might not appropriately recognise individuals' rights to an effective remedy under EU laws. The presidency of the Council of Ministers has since been working on remodelling the one stop shop proposals to give local DPAs greater say in cases affecting consumers in their country.
Under its latest one stop shop proposals (9-page / 226KB PDF), data protection matters would be regulated differently depending on what kind of case it is. If data protection issues affected consumers in only one country then the one stop shop mechanism would not apply. Those cases would be handled by the local DPA only.
The one stop shop mechanism would apply, under the plans, for "important cross-border cases". In those cases, the DPA based in the country of a business' 'main establishment' would lead investigations, but "concerned DPAs" in other EU jurisdictions would be able to get involved in those cases if the business also has an office in the country or consumers in their jurisdiction were otherwise "substantially affected" by that company's personal data processing.
The different DPAs would have to cooperate in a bid to reach consensus on what action, if any, to take against businesses in those cross-border cases. Circumstances would dictate whether it would be the lead DPA or a local DPA that would give legal effect to the agreed decision. Under the presidency's plans, there would be a mechanism for businesses and consumers to appeal decisions taken by DPAs to the courts.
However, the presidency's proposals also envisage a third way of determining the outcome of data protection cases. If DPAs were unable to agree between themselves on what action to take against a business in cross border cases dealt with under the one stop shop mechanism, then those cases would be subject to a dispute resolution system.
That system would see a new European Data Protection Board (EDPB), made up of representatives of all national DPAs in the EU, act as an arbitrator able to "settle the dispute by adopting a binding decision" on the basis of a two-thirds majority vote. Cases which reach the EDPB, though, could be appealed to either the Court of Justice of the EU (CJEU) or national courts, under the plans.
Commenting on the presidency's plans, Chris Grayling echoed comments by his Irish counterpart. He had warned of the potential for "any or every cross border case to reach the EDPB", with the result being a backlog of cases sitting with the watchdog or going to the CJEU for a final judgment.
Grayling said EU countries should "step back" from implementing "the wrong solution" for the one stop shop mechanism just for the sake of reaching a consensus on the issue. He said giving "legally binding power" to the EDPB could serve to paralyse the data protection regulatory system.
Grayling said the presidency's proposals also "do not meet the test of proximity", which is the need under EU law to ensure that legal decisions affecting individuals are taken as locally as possible to them. This is because "data protection would become dealt with at EU level" under its plans.
Under the proposals which were agreed on by ministers at the Brussels meeting, organisations wishing to rely on consent as a legal basis for processing personal data under the new GDPR would be required to ensure that the consent they obtain is "unambiguous".
Other changes agreed on would see public bodies prevented from relying on the 'legitimate interests' argument to process personal data without individuals' consent. Under the agreed proposals, businesses would have the right to process personal data if the "processing is necessary for the purposes of the legitimate interests" either they or a third party are pursuing, "except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".
New rules relating to the use of personal data for a new processing purpose were also agreed on. Under those plans, businesses would be required to "ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected" with reference to five criteria.
"The [data] controller shall take into account … any link between the purposes for which the data have been collected and the purposes of the intended further processing; the context in which the data have been collected; the nature of the personal data; the possible consequences of the intended further processing for data subjects; the existence of appropriate safeguards," the agreed proposals said.
The justice ministers agreed on rules which would, if introduced, prohibit businesses from relying on the 'legitimate interests' rule for carrying out new processing activities which are "incompatible with the one for which the personal data have been collected". This would mean that businesses would be forced to seek new consent to proceed with their planned new processing activities, or otherwise rely on another legal basis for processing as set out under the GDPR.
Wynn said: "The presidency's proposals on the 'legitimate interests' rule reflects the current direction of travel under the existing data protection regime, as reflected in guidance previously issued by privacy watchdog the Article 29 Working Party which, reflecting on the recent CJEU decision regarding Google’s search engine, said that, in the age of 'the internet of things' (IoT), businesses will be unlikely to be able to rely on that rule to process personal data."
"This is because the IoT era will enable businesses to pull together detailed data about individuals from a variety of sources and create a profile of those people with the consequence being that any claim they might have to be justified in processing that data for a legitimate interest they have is likely to be overridden by the rights of the individual. Therefore, where organisations are using IoT or big data analytics to create very detailed profiles of individuals, it will be hard to justify the processing on the basis of legitimate interests, meaning that consent will often be the only route to compliance," she said.
Agreement was also reached on specific rules relating to specific personal data processing activities, including those undertaken by journalists, researchers or in an employment context.
The Council of Ministers will need to reach at least a broad consensus on the data protection reforms before opening up three-way negotiations with the European Parliament and Commission on the final wording of the GDPR. MEPs reached agreement on a version of the text earlier this year.