The EU Data Protection Regulation after 3 Years of Negotiation
On January 25, 2012, the European Commission presented a proposal for a “Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data”, the “Data Protection Regulation” (DPR). The Commissioner in charge of justice at the time, Viviane Reding, aware of the complexity of the matter, stated jokingly that she hoped a decision on this proposal would at least be reached by the end of her term, i.e. in October 2014.
Reding is now gone, a new EU Commission is in place, but the Council of Ministers has only agreed very recently on a few chapters of the ninety page proposal; “Trilogue” negotiations between the European Parliament, the Council, and the Commission have not even started. When, recently, the new Commissioner, Vera Jourova, claimed that a final agreement will be reached before the end of 2015, this deadline was seen by experts as wishful thinking, just as all those announced previously by her predecessor.
The Parliament cannot be blamed: on 12 March 2014, just before being dissolved in preparation for the May elections, it endorsed with 621 votes in favor, 10 against and 22 abstentions, the position on the regulation adopted by the LIBE (Civil Liberties, Justice and Home Affairs) Committee. But this vote was seen more as a political move (in the context of the NSA scandal) than a nuanced and balanced approach to the difficult issues at stake. The stronger safeguards inserted, the increased level of fines, and some radical definitions are light years away from the compromises currently discussed in the Council. So even when the Council will have reached a common position (or “general approach”) on the whole text, reconciling this position with the Parliament’s might take a long time – or end up in a deadlock.
Why is this exercise so difficult when the main objective – better protecting peoples’ data – should be a consensus priority on the EU agenda?
The answer to this question is two-fold:
First, the Commission’s proposal is very ambitious. Viviane Reding did not propose just a modification of the old 1995 directive, which Member States could have adapted to their national data protection specificities. She presented a comprehensive regulation: national regulators would be directly bound; companies would be dealing only with the supervisor of the country where they are established (the “one stop shop”); companies from outside the EU would have to abide by EU rules; heavy fines would be imposed on those who do not respect these rules; strict definitions were proposed for consent, the right to be forgotten, data portability, and other matters.
But there is a second reason why the negotiation on the DPR drags on. Over the last years technology companies have developed—and exponentially so since the DPR proposal was presented—tools which permit new uses of personal data. It is increasingly difficult to implement the concept of explicit consent; “profiling” is now widespread; e-health, the internet of things and cloud computing have entered our daily lives, but their implications are difficult to reconcile with the traditional EU privacy rules, and generate lengthy discussions among experts, which prevent negotiations on the regulation to progress.
The European Commission thought that the technological evolution could be dealt with via the use of “comitology” and filled its proposal with so called “delegated acts”, which allow the Commission itself—with some oversight by the European Parliament and a committee of member states representatives—to decide on the legislation to be implemented. But this approach was clearly rejected by the Council at the beginning of the negotiation.
The industry was rather favorable to the DPR proposal at the outset. The “one stop shop” approach was indeed appealing. Instead of having to deal with 28 different regulators, they would only need to speak with the regulator of the country where they have their EU headquarters. Companies, however, then complained about the “administrative burden” imposed on them, notably by the requirement of having a “data protection officer.” (Only SMEs would escape it.)
The open dialogue many companies had developed with the Commission faded away, partly because the Commission applauded the radical approaches of the European Parliament. The industry has now engaged in a constructive dialogue with experts in national ministries, offering solutions to difficult technical problems, but sometimes also adding to the confusion. The interests of various groups are not always reconcilable.
Parallel to the negotiation of the Regulation, an EU directive, presented at the same time, was supposed to deal with the processing of data for “the prevention, investigation, detection or prosecution of criminal offenses”. Yet, owing to the sensitivity of the matter and the reluctance of some member states to deal with it at EU level, progress on this negotiation is even slower.
What has been agreed until now in the EU Council and what remains to be decided?
Not much happened in the Council during the first year. The expert group “Dapix” discussed the text systematically, article by article, but the Danish and Cypriot presidencies limited the debate in the Council to horizontal issues: a regulation or a directive; too many delegated acts; flexibility for the public sector (a German demand); and the administrative burden among others.
Alan Shatter, the Minister of Justice of Ireland—the European home for many high tech companies—tried to launch the real negotiation during the first half of 2013. He tried to make the data protection officer optional; he introduced a new approach based on the level of risks to data according to the company processing them, and launched the difficult discussion on “consent”. But, at the end of his presidency in June 2013, he had not managed to obtain an agreement on any of the chapters.
This is when Edward Snowden made his revelations about the collection of data by the NSA. Among other effects, it obviously gave the debate over data protection a more acute political dimension. The reaction was particularly strong in Germany, which until then had been rather defensive about the regulation. Chancellor Merkel announced that Germany would, from then on, defend “a very strict position” in the data protection negotiation.
The Justice Council addressed for the first time, in October 2013, the topic of the “one stop shop,” cherished by the industry. But after lengthy discussion, the ministers realized that, whilst the principle was appealing, the modalities were much more complex than the Commission had anticipated. Only three countries could support the proposal. Germany wanted to give the leading role to the “European Data Protection Supervisor.” France proposed a “co-decision” by the authorities of all countries concerned with the issue; and the British Minister claimed that the proposal was “unrealistic, removed from the citizens and flying in the face of the realities of the companies.” Discussion resumed in December and ended in confusion after the legal service of the Council declared the Commission proposal illegal.
Discussions on “the right to be forgotten” and the amount of fines that could be imposed on those who violate the rules did not lead to more of a consensus. By the end of the Lithuanian presidency, in December 2013, it became clear that there was no chance of reaching a Council position before the election of the new European Parliament in May 2014. This however, did not discourage the exiting Parliament, as mentioned above, to vote on its position just before its dissolution.
No progress was made on the “one stop shop” during the first half of 2014 under the Greek presidency. The Greeks then decided to address an issue politically more appealing for the member states in the context of the Prism scandal: the transfer of personal data to third countries. The extension of the scope to non-European companies operating in the EU was rather quickly accepted by most except Britain, which from the beginning maintained a reserved attitude for the whole exercise. So, for the first time after two and a half years, a “partial general approach” was reached on this issue and others contained in chapter V of the regulation.
From then on, the mood in the Council has become more positive.
A reason for this is the landmark decision of the EU Court of Justice in May against Google on “the right to be forgotten”. Coming two months after a US Court ruled that a US firm could not refuse to hand over e-mails stored outside the US to authorities with a valid search warrant, this judgment was a challenge to the Council. If it could not agree on new data protection rules, the Courts would decide in its place.
The Italian presidency in the second half of 2014 reinforced this new mood by promising Germany that they would draw up specific rules for data managed by the public sector. Germany had objected since the start of the negotiations to the public sector having to respect the same rules as the private sector and had therefore maintained a general reservation.
In October, a second partial “general approach” was reached on the chapter IV of the regulation: the role of the “controller” and the “processor”; and in December on provisions for the public sector as well as on specific data processing situations. This does not solve the problem of the scope, but it now seems that part of the public sector rules might be transferred to the directive negotiated in parallel. This might also help the British to renounce their position of having the regulation replaced by a directive. On top of that, the Italian presidency registered a qualified majority on a compromise proposal on the famous “one stop shop.” After some technical work in the next several months, it could also become a “general approach”.
Where do we go from here?
After these (partial) successes, the Council is now confident that further general approaches covering all issues involved might be reached before the summer of 2015. But experts in the Council Secretariat warn that, since these will largely overlap, three or four months will be needed to “consolidate” the various agreements and turn them into one. Only then, in the middle of Luxembourg’s presidency, will it be possible to start the “trilogue” negotiation with the European Parliament.
This trilogue will not be easy. The Parliament decided early on a position which does not take into account many of the compromises arrived at in the Council after long debates. The political link between the DPR and the PNR (passenger names records) proposal—currently blocked in the Parliament—indicates that the trilogue might be very tense and political. A reasonable guess is that the whole process will only be concluded by the end of the Dutch Presidency, i.e. mid 2016.