EXCLUSIVE / EU justice ministers meeting in Luxembourg today (6 June) are expected to consider giving EU institutions a sweeping exemption from new data protection rules.
The European Commission published in January 2012 a broad legislative package aimed at safeguarding personal data across the EU.
The package consists of two legislative proposals: a general regulation on data protection (directly applicable in all member states) and a specific directive (to be transposed into national laws) on data protection in the area of police and justice.
The two proposals have been discussed extensively in the European Parliament and the Council and are due to be voted on by the Parliament in the near future.
The new rules propose to include provisions catering for the right to be forgotten, data portability and access to personal data. But deputies are struggling to agree on around 4,000 amendments, some directly copy-pasted from corporate entities into the draft, possibly stalling the orientation vote in the civil liberties committee again.
The Commission and other EU bodies would apply the new data protection measures after the adoption of the new regulation, using a special internal rule that has been criticised by the EU’s own data protection watchdog, according to a proposal seen by EurActiv.
The idea comes as part of a new attempt by the Irish presidency to break the growing deadlock over new data protection rules, which last week saw a public spat between MEPs responsible for guiding the paper through the European Parliament.
Under the proposals to be considered by ministers – and seen by EurActiv – a raft of business-focused changes are made to the original text.
Commission says it is governed by stricter data rules
An express exclusion from the regulation for the EU institutions is preserved, however, on the condition that a special annex to the new rules will require the Commission to update an existing law affecting the institutions (45/2001), bringing it in line with the new regime.
The Commission contends that this rule is currently stricter than the proposal for the general data protection regulation, since it requires the institutions have data protection officers and to consult the European Data Protection Supervisor (EDPS) – the EU’s data protection watchdog – on all measures relating to the issue.
However, a spokesman for the EDPS told EurActiv that rule 45/2001 “covers certain issues which are specific to the EU institutional context and which under the proposed general regulation would remain unregulated.”
Data on data supervisor suppressed
These include transfers of personal data between EU institutions, rules applying to data processing in internal telecommunications networks, and rules governing the appointment and powers of the EDPS.
The Irish document suggests that the exemption for the institutions could be scrapped, but claims this would require a raft of redrafting and impede the progress of the new rule.
Under the presidency proposal the Commission would state its intention to change rule 45/2001 bringing it into line with the regulation, but this would happen after the general regulation had been adopted.
The Commission contends its internal rule change would take effect at the same time as the general regulation. But it would buy time and reserve for itself the right to address how far the new rules should affect it after the general regulation has been set in stone.
This is because there will be a two-year hiatus between the formal adoption of any new regulation and the time member states must implement it, during which the Commission will mull its internal rule change.
In a January 2011 opinion, the EDPS described such a method of regulating the institutions as "inferior," adding: “It would be highly undesirable for the EDPS to supervise compliance of EU institutions and bodies with substantive rules which would be inferior to the rules supervised by his counterparts at national level.”
Other changes suggested by the Irish include limiting the circumstances in which non-EU businesses would be subject to the new rules, and recognising the concept of "anonymised data," which would be excluded from the data protection framework.
Data protection proposal remains hotly contested
The period within which data protection breaches must be reported by companies under the new rule is extended from 24 to 72 hours, and such breaches would only need to be reported if they were harmful.
The proposals remain extremely controversial in all institutions, with eight countries – Belgium, the Czech Republic, Denmark, Estonia, Hungary, Sweden, Slovenia, and the United Kingdom – still preferring to use a directive rather than regulation to implement new data protection rules. A directive would allow for more flexibility in implementation.
The Irish presidency leaves flexibility for the proposed regulation to be transformed into a directive in future if necessary.
Ministers will be asked to endorse the compromises reached with a view to beginning negotiations with the European Parliament in the autumn on the final text of the regulation.
"I think it unfortunate that they [the institutions] are trying to impose the rules by a parallel process. It seems that, from a political point of view, including the institutions would have made it more difficult to get agreement. But, while I can understand the politics of this, I think it would have led to a better-quality draft and to greater legitimacy of the Regulation if the EU institutions had been covered in the proposal from the beginning, since as a rule you tend to draft a set of rules more carefully if you will be covered by them yourself," said Christopher Kuner, senior counsel with law firm Wilson Sonsini Goodrich & Rosati in Brussels.
“If the proposed compromises are endorsed, this is a significant step in the right direction. The compromise text narrows the scope of the proposed Regulation and seeks to move from the detailed, prescriptive approach favoured by the Commission and the Parliament towards a risk-based framework. This proposal encourages a significant change of focus ahead of negotiations between the European Parliament and the Council of the European Union which will set the course of Europe’s data protection law for the next generation,” said Bridget Treacy, a partner with law firm Hunton & Williams.
“The [Irish] presidency’s proposal tempers many of the European Commission’s original proposals that were the subject of the most vociferous debate. The presidency’s proposed compromise text is more business-focused and more pragmatic. In particular, an additional recital is proposed that characterises the right to data protection as a qualified right, highlighting the principle of proportionality and noting the importance of other competing fundamental rights, including the freedom to conduct a business,” Treacy said.
"There is no need to overburden non data-driven businesses with documentation requirements, impact assessments and the requirement to designate data protection officers," said Patrick Gibbels, the secretary-general of the European Small Business Alliance (ESBA).
"The butcher and the corner shop really do not need to employ a data protection officer and the local optician should still be allowed to notify his customers that it is time for their check-up, without getting into trouble. The added cost and unnecessary admin burden on these types of businesses will stifle their growth and reduce their capacity to employ new people. Particularly in times of economic downturn the easy one-size fits all approach can not be justified," Gibbels added.
- 2013: Updated data protection rules continue to be negotiated by European Parliament and European Council