By Dan Cooper & Maria-Martina Yalamova
On June 6, 2014, the Justice and Home Affairs Council of the European Union (the “Council”), representing individual EU Member States, reached a common position on certain important aspects of the draft European Data Protection Regulation (the “Regulation”). Specifically, the Council reached an agreement on rules governing transfers of personal data outside the EU, set out in Chapter V of the Regulation, and on rules relating to its territorial scope. A number of key elements of the proposal remain under review, however, with agreement not expected for some time. And, the text of the proposed Regulation still has to be negotiated and agreed in its entirety by both the Council and the European Parliament, and Chapter V (as well as other provisions) may undergo further changes in the process.
While Parliament’s position is now set in stone (following a plenary vote in March 2014), the Council is still in the process of defining its position on key aspects of the Regulation. According to unofficial sources, the Italian Presidency of the Council (which will take over in July) will aim to agree the remaining Chapters of the Regulation by the end of 2014. It is unclear whether any negotiations on the text between the Council and Parliament will take place before then.
At its June meeting, the Council reached agreement on the following matters:
1) Territorial scope
The Council revised Article 3 (and Recital 20) of the draft Regulation to clarify that data controllers based outside of the EU would also fall within the scope of the Regulation, if they process personal information of EU residents by virtue of offering EU residents goods and services, irrespective of whether these are free or paid for.
2) International data transfers
The Council also agreed, with respect to the provisions relating to data transfers, that:
- data transfer mechanisms (e.g., BCRs, model clauses or ad hoc data transfer agreements) should include provisions that require compliance with data protection laws and the rights of data subjects, as well as the adoption by the parties of a “privacy by design and by default” approach to data processing. (Recital 83)
- BCRs should include provisions specifying, among other things, the relevant complaint procedures and the appropriate mechanisms for reporting to the competent authorities any legal requirements to which a member of the group is subject in a third country that are likely to have a substantial adverse effect on the guarantees provided by the BCRs.
- approved codes of conduct and approved certification mechanisms could be used as valid data transfer mechanisms only when accompanied by a binding and enforceable commitment from the controller or processor in the third country. (Article 42(2)(d)&(e)
- only “explicit” consent would suffice as a legal ground for data transfers to third countries in the absence of an adequacy decision or appropriate safeguards. (Article 44(1)(a))
- data controllers should be able to rely on the “legitimate interest” ground for infrequent or small scale data transfers only when their interests are not overridden by the interests and freedoms of the data subjects. (Recital 88, Article 44(1)(h)) This balancing test is in line with the Article 29 Working Party’s recent Opinion discussing the “legitimate interests” ground for data processing. (See our blog post on the legitimate interests paper here.)
- there should be a new, express provision that allows authorities — at the EU or Member State level — to move to block the transfer of specific categories of personal data (e.g., passport data or electronic patient records) to third countries for important reasons of public interests. Member States should notify such decisions to the Commission. (Article 44(5)(a))