The Commission and other EU bodies would apply the new data protection measures after the adoption of the new regulation, using a special internal rule that has been criticised by the EU’s own data protection watchdog, according to a proposal seen by EurActiv.
The idea comes as part of a new attempt by the Irish presidency to break the growing deadlock over new data protection rules, which last week saw a public spat between MEPs responsible for guiding the paper through the European Parliament.
Under the proposals to be considered by ministers – and seen by EurActiv – a raft of business-focused changes are made to the original text.
Commission says it is governed by stricter data rules
An express exclusion from the regulation for the EU institutions is preserved, however, on the condition that a special annex to the new rules will require the Commission to update an existing law affecting the institutions (45/2001), bringing it in line with the new regime.
The Commission contends that this rule is currently stricter than the proposal for the general data protection regulation, since it requires the institutions have data protection officers and to consult the European Data Protection Supervisor (EDPS) – the EU’s data protection watchdog – on all measures relating to the issue.
However, a spokesman for the EDPS told EurActiv that rule 45/2001 “covers certain issues which are specific to the EU institutional context and which under the proposed general regulation would remain unregulated.”
Data on data supervisor suppressed
These include transfers of personal data between EU institutions, rules applying to data processing in internal telecommunications networks, and rules governing the appointment and powers of the EDPS.
The Irish document suggests that the exemption for the institutions could be scrapped, but claims this would require a raft of redrafting and impede the progress of the new rule.
Under the presidency proposal the Commission would state its intention to change rule 45/2001 bringing it into line with the regulation, but this would happen after the general regulation had been adopted.
The Commission contends its internal rule change would take effect at the same time as the general regulation. But it would buy time and reserve for itself the right to address how far the new rules should affect it after the general regulation has been set in stone.
This is because there will be a two-year hiatus between the formal adoption of any new regulation and the time member states must implement it, during which the Commission will mull its internal rule change.
In a January 2011 opinion, the EDPS described such a method of regulating the institutions as "inferior," adding: “It would be highly undesirable for the EDPS to supervise compliance of EU institutions and bodies with substantive rules which would be inferior to the rules supervised by his counterparts at national level.”
Other changes suggested by the Irish include limiting the circumstances in which non-EU businesses would be subject to the new rules, and recognising the concept of "anonymised data," which would be excluded from the data protection framework.
Data protection proposal remains hotly contested
The period within which data protection breaches must be reported by companies under the new rule is extended from 24 to 72 hours, and such breaches would only need to be reported if they were harmful.
The proposals remain extremely controversial in all institutions, with eight countries – Belgium, the Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia, and the United Kingdom – still preferring to use a directive rather than regulation to implement new data protection rules. A directive would allow for more flexibility in implementation.
The Irish presidency leaves flexibility for the proposed regulation to be transformed into a directive in future if necessary.
Ministers will be asked to endorse the compromises reached with a view to beginning negotiations with the European Parliament in the autumn on the final text of the regulation.