On June 15, 2015, the Ministers of Justice of all 28 European Union member states, sitting as the Council of the EU (Council), reached a crucial agreement for the future EU data protection legal framework. Much work still needs to be completed, but this is a major step forward in the adoption of the EU General Data Protection Regulation (Regulation).
The Regulation introduces important changes to EU data protection law that will have a significant impact on companies doing business in the EU. While the timing of final approval is still unknown, the fact that the Council has reached a general approach significantly increases the chances that the final text of the Regulation will be adopted in the foreseeable future. To learn more about the practical implications for businesses and how to prepare for the new legal framework, please join our webcast on July 15.
Where Do We Stand?
Under the EU legislative process, three institutions are involved in the enactment of new legislation: (1) the European Commission (the Commission—executive arm of the European Union); (2) the European Parliament (the Parliament—directly elected representatives from all 28 EU member states); and (3) the Council of the European Union (the Council—governmental representatives from EU member states).
The EU legislative process is highly complex, but can be summarized as follows: the Commission makes a proposal for legislation, which is reviewed and discussed by the Parliament and the Council. Both the Parliament and the Council negotiate the text on their own. Within each institution, amendments are proposed to the Commission’s text in order to reach a common position. Once each institution has reached its position, the three institutions attempt to reach agreement on the final text of the legislation (i.e., the Trilogue).
1. January 2012: The EU Commission Proposal. The Regulation was proposed by the Commission in January 20121 to replace the 1995 EU Data Protection Directive. The text introduced important changes to EU data protection law, including stricter rules regarding the use of consent as a legal ground for data processing; strengthened individuals’ rights; restrictions on profiling activities; and increased sanctions for data protection violations. The proposal provides for administrative fines of up to 2 percent of a company’s annual worldwide turnover, or up to €1 million (whichever is more). It also introduces new requirements in EU data protection law, such as a data breach notification requirement; the obligation to conduct data protection impact assessments; the principles of data protection by design and by default; and the obligation to appoint data protection officers.
One of the main benefits of the proposal is the introduction of a one-stop shop regulator for companies doing business in multiple EU member states, meaning that they would be subject only to the jurisdiction of the Data Protection Authority (DPA) of the member state in which they have their main establishment.2
2. March 2014: The EU Parliament Amendments. The Parliament issued its first draft report on the proposal in early 2013.3 This text was heavily debated in Parliament and triggered massive comments from stakeholders. After lengthy debates in different committees, the Parliament adopted its amendments to the Commission’s proposal in March 2014.4 The amendments are generally stricter than the Commission’s proposal. For example, they further strengthen the rights of individuals, impose additional restrictions on profiling activities and increase fines for data protection violations to up to €100 million, or up to 5 percent of a company’s annual worldwide turnover (whichever is greater).
3. June 2015: The EU Council’s Amendments. In parallel to the negotiations in the Parliament, the Council has been meeting since 2012 to discuss amendments to the Commission’s proposal. In June 2015, the Council reached an agreement on its text of the Regulation.5 The Council’s general approach makes a number of significant changes, such as removing some of the restrictions applicable to the use of consent as a legal ground for processing personal data and adding some flexibility for companies to process personal for new purposes. However, the Council also significantly weakened the one-stop shop mechanism by limiting it to important cross-border cases and providing a role in the decision making process for all DPAs involved, which is a set-back compared to the Commission’s proposal.6
4. Present Status: Trilogue Negotiations. The three EU institutions have started their final negotiations, which should lead, ultimately, to the adoption of the Regulation. There is momentum now on which the EU institutions should build to reach a final agreement. However, while there is broad agreement between the EU institutions on many of the core principles, the exact wording of the final text of the Regulation still remains unclear and will have to be agreed on as the result of a compromise via the Trilogue meetings.
The main challenge of the Trilogue will be to reconcile diverging or opposing views. The Parliament is seen as the most privacy-oriented institution in the EU, while the Council is usually quite business friendly. The text that results from these negotiations is often the outcome of intense negotiations and the result of significant trade-offs. It sometimes produces compromises that are difficult to apply or interpret in practice. It thus remains to be seen how the EU institutions will manage to reach an agreement and what the final text of the Regulation will look like.
The Trilogue meetings are informal, and it is difficult for stakeholders to know what happens during this final stage of the legislative process as it takes place behind closed doors. At the first Trilogue meeting, on June 24, 2015, a timetable for the upcoming meetings was agreed on,7 with the aim of adopting the Regulation by the end of 2015. The next meeting is scheduled to take place on July 14 and will deal with the provisions on international data transfers. The Trilogue will be led by the Luxembourg Presidency and, if no agreement is reached by the end of 2016, by the Dutch Presidency. Both countries have substantial experience in handling European matters, which allows for some optimism.
The European Union has made significant progress toward the adoption of a new EU data protection framework, but important work still remains. The Parliament’s text that was adopted in March 2014 and the Council’s text adopted in June 2015 are by no means the end of the story.
The Commission, Council, and Parliament are now in their final negotiations to reach an agreement. While there is some broad agreement on the core principles of the Regulation, the exact wording of the Regulation still remains unclear, and it will be the result of a compromise between the three EU institutions.
So far, all predictions have failed, but it now is reasonable to believe that a final text of the Regulation will be agreed on by the end of 2015 or during the spring of 2016. The Regulation will enter into force two years after its adoption, which means—at the earliest—end of 2017 or spring of 2018. Companies doing business in the EU or targeting EU individuals should start planning for the Regulation and assess how its new core principles will affect their business.
To keep up to date with the legislative developments concerning the Draft Regulation, see our Wilson Sonsini Goodrich & Rosati’s EU Data Protection Regulation Observatory at https://www.wsgr.com/eudataregulation/index.htm.
2 For a detailed analysis of the Commission’s proposal, see https://www.wsgr.com/eudataregulation/pdf/kuner-020612.pdf.
3 See the Draft Report of the Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE Committee), which is the lead committee with regard to the data protection reform, available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-501.927%2b04%2bDOC%2bPDF%2bV0%2f%2fEN.
6 For a detailed analysis of the Council’s text, see https://www.wsgr.com/eudataregulation/pdf/BNA-0615.pdf.
7 The official timetable was not made public. However, an indicative timetable was published on the website of the Group of the European People’s Party in the European Parliament: http://www.eppgroup.eu/news/Data-protection-reform-timetable.