At a meeting in Luxembourg, most justice ministers from governments across the EU voted to support a "general approach" to the Regulation outlined in proposals published by the Latvian presidency of the Council of Ministers (201-page / 1.21MB PDF) last week. Austria and Slovenia did not give their support to the proposals.
The broad agreement comes three and a half years after the Regulation was first proposed by the European Commission. However, the proposals backed by the Council are different from those backed previously by MEPs. Officials from the Council, European Parliament and Commission will begin trilogue negotiations on a final text before the end of June. If the timetable for those talks is followed, the finalised Regulation will be set before the end of the year.
At the meeting, the UK's justice minister Lord Faulks said the UK government was willing to support opening of trilogue negotiations now. He said the "risk-based approach" outlined in the Latvian presidency's proposals mean businesses' data protection obligations "reflect the risks of their processing" of personal data. He said the proposals also "preserve both privacy and opportunities for ground breaking research that may save lives or improve the quality of lives for many".
However, Lord Faulks said the UK government still has concerns about the "practical applications" of the Regulation. He said it thinks the planned 'one stop shop' mechanism for the enforcement of data protection cases spanning across national borders will lead to "costly and protracted decision making" which is neither in the interests of businesses or consumers.
Other countries have also previously outlined their concerns with the one stop shop proposals. Under the plans, national data protection authorities (DPAs) would have to collaborate with one another when assessing what action to take against companies that allegedly breach the new Regulation where those cases are of a cross border nature. However, the plans envisage a role for the European Data Protection Board (EDPB), a new privacy watchdog that would be established under the Regulation to replace the existing Article 29 Working Party, in resolving disputes between DPAs on how to handle such cases.
At the meeting, Ireland's minister for European affairs and data protection Dara Murphy said that whilst Ireland's government supports the move towards trilogue discussions, it still has concerns that the one stop shop plans "might lead to excessive recourse" to the EDPB.
However, a clause has been included in the Latvian presidency's latest proposals which, if included in the final text, would mean that the one stop shop system would be reviewed within two years of becoming operational. Murphy welcomed the inclusion of that clause as "very important indeed".
A number of major differences in opinion between the various EU governments and MEPs will need to be reconciled in the trilogue negotiations before the General Data Protection Regulation is finalised.
"The 'one stop shop' mechanism was a cornerstone of the Commission’s original proposals for a General Data Protection Regulation in 2012," data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. "The plans now look nothing like they did and this area will be a difficult part of the trilogue negotiations on which to achieve consensus. It remains to be seen whether making provision for a review of the one stop shop mechanism within two years of its operation will be sufficient to reconcile concerns. With other significant issues also to be agreed upon, the race to finalise the text by the end of the year is definitely on."
According to the different versions of the Regulation backed by the Council and Parliament, opinion is divided on issues such as the meaning of consent to personal data processing, the level of fines that businesses that breach the Regulation should be potentially subject to, and whether or not companies should be required to employ a data protection officer.
The finalised Regulation is also likely to see changes made to the rules around the transfer of personal data outside of the EU, as well as a shift in the balance of liability between data controllers and processors. The reforms will also deliver a new data breach notification regime that organisations will need to adhere to, and require businesses to focus on data protection issues when designing new products or ways of serving consumers.