According to recent press reports, the Irish Presidency has prepared a note to report to the Council of the EU on the progress achieved on the European Commission’s legislative proposal for a General Data Protection Regulation. Ireland holds the Presidency of the Council of the EU in the first half of 2013 and has already devoted ten working days to this file in the first six weeks of its term. The Council of the EU is the EU institution representing the 27 EU Member States’ government representatives. Both the European Parliament and the Council must endorse the proposal for it to be adopted.
The risk-based approach
The Council has finalised its first examination of the entire proposal and, following instructions by the Council at the end of last year, the Irish Presidency has now commenced to inject a more risk-based approach into the draft Regulation by proposing amendments to particular provisions, in particular the provisions concerning the obligations on controllers and processors but also some provisions concerning the rights of data subjects. By doing so, the Irish Presidency has tried to address concerns raised by several Member States regarding the level of prescriptiveness of a number of the proposed obligations in the draft Regulation. Under the approach proposed by the Irish Presidency, the risk inherent in certain data processing operations should be a main criterion for balancing the data protection obligations. In other words, the lower the risks the less prescriptive the obligations, and the higher the risk the more detailed the obligations should be. The Irish Presidency’s note is also critical of certain provisions that empower the European Commission to adopt delegated and implementing acts, much in line with the criticism raised by the European Parliament and the Article 29 Working Party, the EU advisory body on data protection.
The Irish Presidency has identified three areas where differences of opinion regarding the risk-based approach remain which it asks the Council to consider at its next meeting. These are:
- the obligation to engage in prior consultation with the supervisory authority in case the risk assessment indicates a high degree of specific risk;
- the mandatory designation of data protection officers and the possibility to alleviate the controller’s obligations in case a data protection officer has been designated; and
- the possibility to incentivise the application of codes of conduct and data protection certification mechanisms.
The Irish Presidency calls upon the Council to provide instructions so that the Irish Presidency can continue its work, in particular by further developing the criteria to distinguish different risk levels and to explore the use of pseudonymous data as another means of balance the data protection obligations.
Flexibility for the public sector
In addition to setting out the state of play with respect to the risk-based approach, the Irish Presidency’s note also deals with the question whether and how the proposed Regulation can provide sufficient flexibility for the public sector and highlights the need to continue working on this issue.
Several Member States have requested more flexibility regarding the application of data protection rules in the public sector in view of their constitutional, legal and institutional setup. The Irish Presidency has therefore started investigating whether and how the draft Regulation can take sufficient account of the specificities of the public sector, including with respect to the provisions on profiling. A possible avenue proposed by the Irish Presidency is to make clear what type of details may be specified by the national or Union law (e.g., the purpose of the processing and the controller, the type of data, those who are authorised to consult and use the data, purpose limitations, storage periods and processing procedures) which would constitute the legal basis for the public sector data processing.
The note was to be discussed during a meeting of the Ministers of Justice of the EU Member States at the end of last week. Earlier in January this year, the Council already considered, among others, whether sanctions, such as fines, should be optional or at least conditional upon a prior warning or reprimand.
The Irish Government aims at arriving at a common position with the Council later this spring and at the latest before the end of its term in June 2013. This common position would then form the basis for the Council’s negotiations with the European Parliament, which could start after the Civil Liberties, Justice and Home Affairs (“LIBE”) Committee, the European Parliament’s lead committee for the proposed Regulation, has voted on the amendments proposed by its rapporteur for the draft Regulation, Mr. Albrecht (see InsidePrivacy Draft report on the proposed EU Data Protection Regulation released, January 8, 2013). This vote is scheduled for April. In addition to the LIBE committee, four other Parliamentary committees are involved in the process. Two of them, the committees for Industry, Research and Energy (ITRE) and for Employment and Social Affairs respectively, have already voted on opinions prepared by their own rapporteurs, whereas two other Committees (Internal Market and Legal Affairs) have yet to vote. Whereas the ITRE committee seems to sit well with the Council’s position, the position that the European Parliament is likely to take as a whole will only become clearer after the vote of the LIBE Committee in April.
In any event, if the LIBE Committee were approve the amendments proposed by its rapporteur, the European Parliament would be ready to start negotiations with the Council, pending the outcome of the Council negotiations.