A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).
Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed. (For a video of his comments, please see here, from 3:10:00 to 3:20:00.) However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.
International scope
Jan Philipp Albrecht reported that all parties agreed that the GDPR should also apply to data processors (not just data controllers) based outside the EU, if they are active on the EU market (which Article 3 of the GDPR defines as engaging in processing related to the offering of goods or services to individuals in the EU, or to monitoring them) – a development which Albrecht reportedly considers to be a “huge step forward” that would “level the playing field” between EU and overseas-based organizations, such as providers of cloud services yet to establish a physical presence in the EU.
International data transfers
Jan Philipp Albrecht indicated that there was agreement in trilogue that future European Commission decisions that lower red tape surrounding exports of personal data to non-EU countries (so-called “adequacy decisions” relating to third countries and privacy frameworks such as the U.S.-EU Safe Harbor), would be systematically subjected to periodic reviews. The GDPR’s negotiations continue to take place in parallel with bi-lateral EU-U.S. discussions over reform of the Safe Harbor (covered here), and a significant judicial challenge to the scheme (covered here).
As for onward transfers of data (once the data is already out of the EU), there reportedly was agreement to the Parliament’s proposal on Article 40, which would subject onward transfers to the GDPR’s requirements.
The parties also discussed a controversial proposal by Parliament on Article 43a, namely that foreign (non-EU) court rulings or administrative orders requiring disclosure of the personal data of EU citizens could not be complied with unless such judgements/orders are locally binding (pursuant to a mutual legal assistance treaty or other international agreement), or if local data protection authorities authorise the disclosure. Although not finally agreed at the meeting, Albrecht expressed optimism about the prospects of the amendment.
Albrecht stated that the next few negotiation rounds (starting in early September, after a summer recess) would turn to potentially thornier issues of data subjects rights, controller duties, and the legal grounds on which data can be collected and processed.