Justice and home affairs ministers reached agreement on rules governing data transfers and on the territorial scope of the planned new General Data Protection Regulation at a meeting in Luxembourg.
However agreement is yet to be reached by ministers on the wording of the remaining aspects of the draft Regulation, which would introduce widespread reforms to existing EU data protection laws. The ministers must agree on the wording of the text before negotiations can begin with the European Parliament on the final wording of the rules. MEPs reached a consensus on the reforms earlier this year.
The Council of Ministers confirmed that, despite the partial consensus on the reforms, agreement had only been reached on the basis that "nothing is agreed until everything is agreed".
"The Regulation sets out three avenues which can be used to make legal data transfers," EU justice commissioner Viviane Reding said in a statement. "One, when the Commission has found that a third country is 'adequate' in terms of data protection. This means that certain conditions – set out in the law – like for example having robust data protection legislation or a data protection authority in place, are met.
"Two, when appropriate safeguards exist, including for example binding corporate rules approved by data protection authorities. And three: in clearly defined specific situations which necessitate the transfer, for example a tax or competition investigation," she said.
Under the wording of the text agreed on by the EU ministers (click through for 34-page / 382KB PDF), businesses would have a range of options for meeting the 'appropriate safeguards' requirement. These include agreeing binding corporate rules (BCRs), approved by data protection authorities that specify the nature of data transfer arrangements within "group of undertakings or group of enterprises engaged in a joint economic activity".
Details that need to be set out in the legally-binding BCRs include how data protection principles apply to the data being transferred, such as the legal basis for processing the personal information and the measures in place to ensure data security.
Businesses transferring personal data outside of the EU can also utilise standard contract terms approved by the European Commission or obtain authorisation from regulators for the contractual clauses on data protection that they agree with organisations they are transferring personal data to in third countries to meet the 'appropriate safeguards' test.
The rules also permit data transfers to take place outside of the legal avenues that are proscribed in specific situations, such as for important reasons of public interest.
Among the list of limited exceptions is a right for businesses to transfer personal data where it is "necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject".
However, this right can only be exercised in cases where the data transfer is "not large scale or frequent" and on condition that the data controller "has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced suitable safeguards with respect to the protection of personal data".
In reaching consensus on what the territorial scope of the proposed General Data Protection Regulation should be, the justice and home affairs ministers have agreed that companies based outside of the EU can be made to adhere to the new regime as well as those based inside the trading bloc.
"This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the European Union," the text agreed by the ministers said.
The ministers also debated plans for a 'one stop shop' mechanism for regulating data protection under the new legal framework. The principle of the one stop shop system is that businesses would only have to engage with one data protection authority in the EU on issues of compliance and enforcement.
However, a more nuanced approach had been suggested by the Presidency of the Council of Ministers so as to appease concerns which relate to ensuring access to justice for consumers and about the risk of 'forum shopping' by businesses.
No agreement on this aspect of the reforms was reached at the Luxembourg meeting. The Council of Ministers said that "the future Presidency will continue to work at technical level on this issue".
"Positions are coming closer to the model for such a system with the general understanding that there should be a 'lead authority' which works closely with other concerned authorities, notably the local authority with which citizens lodge a complaint (to ensure 'proximity')," Reding said.
The Commissioner said that the reform package remains "on track" to be completed by 2015.