On October 10, the Senate Committee on Commerce, Science, and Transportation held second hearing on data privacy that invited advocates and experts to discuss a federal privacy law. The panelists included Andrea Jelinek, director of the European Data Protection Board; Alastair Mactaggart, chair of Californians for Consumer Privacy; Laura Moy, executive director of the Georgetown Law Center on Privacy and Technology; and Nuala O’Connor, president of the Center for Democracy and Technology. Consistent with the previous hearing on data privacy, the discussion focused on two issues (1) potential components of a federal privacy bill, particularly data breach notification, preemption of state law, and the scope of consumer rights and (2) enforcement authority under a new federal privacy regime.

First, the witnesses generally agreed on the main components to be included in a new federal privacy law.  The witnesses expressed the need for stronger data breach requirements, which was met with enthusiasm from Senators Hassan (D-NH) and Klobuchar (D-MN). Senator Klobuchar asked the witnesses how they would view a 72-hour notification requirement like the one in her proposed bill, the Social Media Privacy Protection and Consumer Rights Act of 2018 (also discussed in a previous Inside Privacy post), and the witnesses generally expressed agreement. Dr. Jelinek added that the General Data Protection Regulation (“GDPR”) requires companies to keep data only as long as it is needed, a requirement that could result in less data being at risk in the event of a breach. Professor Moy noted that the current U.S. regime misaligns data retention incentives because companies have strong financial motivations to keep data as long as possible. She noted that clear rules and effective enforcement are essential to limit the amount of data that can be compromised.

The witnesses generally agreed that a federal privacy law should not be weaker than state privacy laws. Mr. Mctaggart stressed that a federal law must be at least as protective as the California Consumer Privacy Act (“CCPA”). He emphasized that a federal law should be a “floor,” not a “ceiling,” meaning that states could institute additional privacy requirements above those required by the federal law. Ms. O’Connor stressed that a “patchwork of state laws” at the state level and a sectoral approach to protect data based on its type (health data, financial data, children’s data) may have made sense a decade ago, but it now leaves a significant amount of personal information unprotected.

The witnesses also generally agreed on consumer rights related to data. Ms. O’Connor stated in her written testimony that a new federal privacy law should limit some types of data collection and processing to uses germane to the service requested by the user, such as collecting precise location information, biometric information, healthcare information, and children’s information. Further, both Ms. O’Connor and Professor Moy emphasized that a new law should prohibit discrimination using data. As Mr. Mctaggart clarified in response to Senators’ questions, a non-discrimination provision would not prevent consumer loyalty programs, but a price differential between allowing a company to collect data and not allowing a company to collect data under the CCPA cannot be coercive.

Second, the hearing discussion focused on the need for meaningful, effective enforcement. Ms. O’Connor and Professor Moy stressed the need for stronger enforcement in response to questions from Senators Markey, Klobuchar, and Schatz. They both recommended that the FTC be vested with greater authority, including rulemaking power and the ability to levy monetary fines. To support this recommendation, they explained that rulemaking power allows the FTC to be agile as technology changes and as new rules need to be developed. As Professor Moy phrased it, meaningful fines elevate privacy and data security issues to a position of importance for company strategy. In addition, Ms. O’Connor and Professor Moy both stressed that state attorneys generals should also be provided with the power to enforce the federal privacy law. Not only can state attorneys generals enforce smaller violations that do not necessarily rise to the attention of a national enforcer like the FTC, but states attorneys general also have been successful at working to help businesses and communities understand their obligations, Professor Moy stated.

This hearing is expected to be one of an ongoing series of hearings on data privacy hosted by the Senate Committee on Commerce, Science, and Transportation.


Today, the EU institutions reached the long-awaited political agreement on the General Data Protection Regulation (GDPR), which will fundamentally change the EU privacy landscape (for the Commission press release see here and the European Parliament press release here).  Almost four years after the publication of the legislative proposal for the GDPR, the final trilogue meeting between the European Commission, the European Parliament and the EU Council of Ministers (“the Council”) led to a compromise (for more details on the process, please see our previous InsidePrivacy post on the first day of trilogue negotiations here).

Today’s political agreement requires formal validation by the European Parliament and the Council.  This is not expected before February or even March of next year.  At European Parliament level, the Civil Liberties, Justice and Home Affairs (LIBE) committee will vote on the GDPR this Thursday, December 17 (see the LIBE agenda here).  Subsequently, the European Parliament’s plenary, which is not formally bound by the committee’s opinion, still has to approve the agreed text, possibly in February.  At Council level, we understand that the text will be discussed in a Coreper (Committee of Permanent Representatives) meeting either this Friday, December 18, or Monday, December 21.  Based on those discussions, the incoming Dutch Presidency of the Council, whose mandate starts in January 2016, will determine the strategy and timelines for Council ratification.  The GDPR could be approved either at a Council meeting in January 2016 or, should further discussions be required, at or after the next formal Justice and Home Affairs Council Meeting on March 10-11, 2016.

A committee of experts will consolidate and finalize the text.  This committee cannot, however, make any substantial changes to the politically agreed text.  Following final adoption, the GDPR will also need to be translated in all the EU’s official languages.  The final step – publication of the GDPR in the Official Journal of the EU, which starts a two-year transition period before the GDPR enters into force – is not expected before mid-2016, which means that the GDPR will enter into force mid-July 2018 at the earliest.

We will publish a more detailed analysis of the content of the GDPR on this InsidePrivacy blog, once the agreed text of the GDPR becomes available.

Today, the first meeting between the European Parliament (“EP”), the Council and the Commission (called “trilogue”) took place with the aim of reaching an agreement on the General Data Protection Regulation (“GDPR”) by the end of the year.  (For background, please see our previous InsidePrivacy post on the Council’s recently agreed general approach.)  The three EU institutions also discussed the status and timetable for the trilogue negotiations on the proposed Data Protection Directive in the law enforcement context (“Law Enforcement DP Directive”).

Right after the meeting,  the EP’s rapporteur on the GDPR, Green MEP Jan-Philipp Albrecht, the Chair of the Civil Liberties, Justice and Home Affairs (‘LIBE’) committee, S&D MEP Claude Moraes, justice ministers from the outgoing (Latvia) and incoming (Luxembourg) Council Presidencies, and the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, gave a joint press conference on the state of play of the talks and next steps.

Continue Reading EU General Data Protection Regulation – First day of ‘trilogue’ discussions

As we recently covered on this blog, on June 15, the Council of Ministers of the EU reached a long-awaited ‘common approach’ on a revised text of the proposed General Data Protection Regulation (GDPR).

Covington will be running a webinar on July 1, repeated on July 2 to accommodate attendees from different timezones, at which specialists from Covington’s London and Brussels office will explain:

  • the current status of the GDPR proposal,
  • the next steps in the legislative process,
  • the expected main changes to the current legal framework, and
  • how companies can prepare in advance.

For more information, and to register for either of the sessions, please click here.

In today’s Justice and Home Affairs (“JHA”) Council meeting (see here), the Council of Ministers of the EU agreed the Council’s long-awaited common approach on a revised text of the proposed General Data Protection Regulation (“GDPR”). The Presidency of the Council of the EU had published a compromise text for approval by the JHA Council last Thursday, June 11 (the text can be downloaded here).

The Council’s vote fires the starting gun for three-way negotiations between the European Parliament, the Council and the Commission (the so-called “trilogue”) to reach an overall agreement on a final GDPR text.  Once passed, the GDPR will bring about a major reform to the EU’s general data protection regime.

The largest political group in the European Parliament (the “EPP”) has released a tentative timetable for the GDPR trilogue (see here), with two meetings scheduled before the summer break.  In the first (scheduled for June 24), the parties will try to agree, among other things, on an overall roadmap for the trilogue discussions. A second meeting, potentially on July 14, may discuss territorial scope and international transfers.

The EU’s legislators are targeting the end of 2015 for the adoption of the GDPR (reconfirmed at today’s JHA meeting), meaning that the GDPR could possibly come into force in late 2017 or early 2018 (after a transition period likely to last around two years).

The Council vote marks the end of an intense push over the past few months to agree on a draft at Council level. It comes more than a year after the Parliament finalized its own position, and three years in total since the Commission’s publication of the underlying proposal.

As of July, the Council will be represented by Luxembourg in the negotiations, which assumes the rotating Presidency of the Council for the next six months. The Parliament’s negotiating team, meanwhile, will continue to be led by Jan Philip Albrecht, a Green party MEP from Germany with overall responsibility for the GDPR in the Parliament.

Broadly speaking, the Council has tended to take a more business-friendly approach on a number of issues than the Parliament, and the Council text differs from the original Commission proposal in a number of areas, including:

  • the lawfulness of processing, in particular further processing and formalities around obtaining consent;
  • the degree to which each EU Member State should be allowed to maintain or introduce more specific provisions or further conditions in their own national laws;
  • transparency requirements;
  • the rights of data subjects, such as the right to object to use of data, the right to be forgotten, and the right to ‘data portability’;
  • controllers’ and processors’ obligations, and the attribution of responsibility between them; and
  • the powers of supervisory authorities, the “one-stop shop” mechanism and the role of a new European Data Protection Board.

Despite a number of proposed changes to the chapter on Remedies, Liability and Sanctions, the text proposed by the Luxembourg Presidency for approval did not change the level of the fines as proposed by the Commission in its initial proposal.

Given the discrepancy between the positions of the Council and of the Parliament in a number of areas, it is difficult to predict the outcome of the trilogue. Moreover, following the Parliament’s elections in May last year, the Parliament has a different make-up to the one that agreed the Parliament’s GDPR draft, further adding to the uncertainty over the parties’ priorities and positions for trilogue.

Last Friday, the Council, which represents the 28 EU Member States, reached a partial general approach on the so-called “one stop shop” mechanism (Chapters VI and VII) and principles for protecting the personal data (Chapter II) (see the press release here, which also contains links to the latest draft texts as prepared by the Latvian Presidency for the Justice and Home Affairs (JHA) Minister meetings on March, 13).

Three years ago, in January 2012, the European Commission proposed a reform of the EU’s data protection rules to make them fit for the 21st century (see here). The Commission pursued a two-fold aim, to strengthen privacy rights and boost Europe’s digital economy. The “one stop shop” mechanism was promoted as one of the major benefits for companies: essentially, under the Commission proposal companies would only have to deal with one single supervisory authority, not 28. The Council has now watered down the Commission’s ambitious proposal to important cross-border cases and replaced it with cooperation and joint-decision making between several data protection authorities concerned. Moreover, the proposed text by Council foresees that the jointly agreed decision will be taken by the data protection authority best placed to deliver the most effective protection from the perspective of the data subject, instead of the authority at the controller’s or processor’s main establishment, as the Commission had initially envisaged. In practice, this could mean that a controller or processor potentially still may have to deal with 28 different data protection authorities.

The JHA reportedly also endorsed a set of general principles of data processing, with a particular emphasis on processing of special categories of personal data. The text also includes measures for processing on the basis of consent as well as further processing for secondary purposes.

The Latvian Presidency is working hard to come to a general approach in June so as to allow the trilogues between Council, the European Parliament and the European Commission to start before the European Parliament’s summer break. Until then, Council still needs to find partial general approaches on a number of open issues, such as sanctions and the Right To Be Forgotten (RTBF).

Today, the European Parliament (EP) voted in favor of the two reports of rapporteurs Jan-Philipp Albrecht and Dimitrios Droutsas concerning the proposed General Data Protection Regulation and the proposed Directive for the law enforcement sector. The support for the report on the proposed Regulation (see here), which the LIBE Committee of the EP had adopted in October last year (see InsidePrivacy, What Companies Should Know About the LIBE Committee’s Amendments to the EU’s Proposed Data Protection Regulation, October 24, 2013), was particularly strong (621 votes in favor out of 653 votes), whereas a considerable minority (276 votes out of 677 with 371 votes in favor) voted against the report on the proposed Directive (see here).

The votes followed a debate on the reform package that took place in the plenary yesterday.  The debate was characterized by strong support for the proposed Regulation.  A few Members of the EP (MEPs) raised concerns in particular in relation to the rules applicable to small and medium-sized companies (SMEs) and the potential impact on freedom of press and health research. However, although several MEPs recognized that the proposed Regulation would not be perfect, the majority considered it to be a step into the right direction and several stressed that it would establish parity of European with non-European companies.

Continue Reading European Parliament Votes in Favor of Proposed General Data Protection Regulation

Only a few days after the leading parliamentary committee waved through the proposed amendments to the European Commission’s legislative proposal for a General Data Protection Regulation (see here and here), the EU Member States’ governments have decided to postpone the adoption of the Regulation to 2015.  Germany and the UK, in particular, supported the delay, albeit for different reasons. The UK called for the delay because it is concerned the proposed Regulation contains too much red tape; Germany, on the other hand, wants to ensure that the new legal framework continues to ensure a high level of protection for its citizens.

This decision is a blow for the Commission and the Parliament, which had pushed hard for an adoption of the proposed Regulation in 2014, before the end of the current legislative period. However, plenty of issues need to be resolved, positions reconciled and compromises found before the new legal framework will see the light of the day.

This process will not be made easier by the fact that all three important players in the so-called “trilogue” process — the Parliament, Council and Commission — will undergo some important reshuffling in the course of the next year. Greece will take over the presidency of the Council from Lithuania as of January 1, 2014. Parliament will effectively exit from the negotiations with the Council and Commission for some time next year. (The last plenary session of the Parliament is scheduled for April before the elections in May, and the constituent session of the new Parliament takes place on July 1, 2014 – which is in the middle of the summer holiday period.)  And a new Commission, once voted in by the Parliament, will enter into office on November 1, 2014.

In light of all these changes, the commitment to 2015 for the adoption of the proposed Regulation still looks rather ambitious.  According to press reports, however, the Commission still considers it possible that the proposed Regulation be adopted in 2014.

The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament (EP)– the EP’s lead committee for the European Commission’s legislative proposal for a General Data Protection Regulation to replace the current EU Data Protection Directive–was supposed to vote at the end of April on the proposed amendments to the draft Regulation. However, since the release of the rapporteur’s draft report on the proposed Regulation (see InsidePrivacy Draft report on the proposed EU Data Protection Regulation released, January 8, 2013) more than 3,000 amendments have been proposed by the different parliamentary committees involved in the process. The rapporteur, Green Member of the EP (MEP) Albrecht, has now been tasked to boil the proposed changes down to 100 compromise amendments. The date for the LIBE Committee vote has therefore been postponed to 29 May 2013.

Despite this delay, MEPs are still hopeful to find an agreement with the EU Member States in the Council on the proposal before the elections in May 2014. This will require a huge effort by both the EP and the Council, which both seem to be split into two camps:  on the one hand those who are pushing for a stricter set of rules, which reinforces both obligations of companies and rights of consumers and provides for increased enforcement powers, and on the other hand those who want to lower the burden for businesses. The latter camp seems headed in the same direction as the Council with its recent calls for introducing a more risk-based approach into the proposal (see InsidePrivacy The Battle Lines are Clearing Up: The Irish Presidency Note on the Proposed General Data Protection Regulation, March 11, 2013).

According to recent press reports, the Irish Presidency has prepared a note to report to the Council of the EU on the progress achieved on the European Commission’s legislative proposal for a General Data Protection Regulation. Ireland holds the Presidency of the Council of the EU in the first half of 2013 and has already devoted ten working days to this file in the first six weeks of its term. The Council of the EU is the EU institution representing the 27 EU Member States’ government representatives. Both the European Parliament and the Council must endorse the proposal for it to be adopted.

The risk-based approach

The Council has finalised its first examination of the entire proposal and, following instructions by the Council at the end of last year, the Irish Presidency has now commenced to inject a more risk-based approach into the draft Regulation by proposing amendments to particular provisions, in particular the provisions concerning the obligations on controllers and processors but also some provisions concerning the rights of data subjects. By doing so, the Irish Presidency has tried to address concerns raised by several Member States regarding the level of prescriptiveness of a number of the proposed obligations in the draft Regulation. Under the approach proposed by the Irish Presidency, the risk inherent in certain data processing operations should be a main criterion for balancing the data protection obligations. In other words, the lower the risks the less prescriptive the obligations, and the higher the risk the more detailed the obligations should be. The Irish Presidency’s note is also critical of certain provisions that empower the European Commission to adopt delegated and implementing acts, much in line with the criticism raised by the European Parliament and the Article 29 Working Party, the EU advisory body on data protection.

Continue Reading The Battle Lines are Clearing Up: The Irish Presidency Note on the Proposed General Data Protection Regulation