EU General Data Protection Regulation: EU ministers agree Europe-wide standards
Earlier this week, the justice and home affairs ministers of the European Union for the first time agreed on a draft for the Europe-wide General Data Protection Regulation (“GDPR”). The draft marks an important stage in the three-year debate since the EU Commission introduced an initial reform proposal as early as in January 2012. A majority of the EU Parliament also agreed on a reform draft and specified its positions in March 2014. The General Data Protection Regulation is intended to guarantee better protection of internet users’ personal data and to create uniform European legislation for businesses.
I. Background of the data protection reform
The substantial new provisions will replace the current EU Data Protection Directive 95/46/EC which is largely regarded as outdated and still contains provisions originating from a time when less than one per cent of Europeans used the internet at all. The EU Member States have implemented the requirements set in the EC Data Protection Directive in different ways, which means that 28 different systems have so far been in place. Ireland, for instance, has relatively low data protection standards.
II. Uniform standards for all Europeans
In future, uniform data protection provisions will apply to all 28 EU Member States. The GDPR will directly apply in all Member States and for all businesses offering their services within the EU. While this means a clear improvement for consumers, businesses will also benefit from uniform Europe-wide standards, as they will no longer have to consider the legislation of 28 different states if they wish to operate in several European countries. This will lead to increased legal comfort as far as the handling of personal data is concerned and to a substantial reduction in bureaucracy. Consumers will be better able to proceed against individual companies based abroad, as they will be in the position to enforce their rights more easily and in all EU states.
III. Key aspects of the reform
By reaching a basic consensus on the General Data Protection Regulation, the EU ministers have already now achieved agreement on key aspects of the reform. Nevertheless, numerous individual issues are still undecided. Agreement in the Council of Ministers is yet outstanding on five out of the eleven chapters of the envisaged Regulation. This includes the chapters concerning the rights of the data subject and on legal remedies. Compromises will also have to be found with the EU Parliament. In some points, Parliament calls for stricter rules than provided so far in the ministers’ draft.
There is, however, agreement regarding the envisaged right to deletion of user data as well as the right to data portability. Data portability is supposed to enable consumers to take along their data, for example, from one social network to another.
One of the main subjects of the debate is the change in purpose. While Parliament demands that businesses may not use the data for any purposes other than those originally determined, the German federal government opposes such a strict limitation by referring to the German Federal Data Protection Act which in fact does permit the use of such data for other purposes under certain circumstances. Another controversial issue is the prohibition of what is known as profiling. While Parliament sets narrow limits on the merging of personal data, the EU states wish to only prohibit automated individual decisions and thus prevent discrimination.
IV. Further steps up to the final General Data Protection Regulation
Following the agreement reached by the justice and home affairs ministers of the 28 EU states regarding their common positions for new data protection legislation, trilogue negotiations can now commence between the Council, the Parliament and the Commission to reach agreement on the final version of the GDPR. However, the positions of the clearly consumer-friendly Parliament on the one hand and the reform proposals submitted by the ministers on the other hand are still wide apart in some issues. Trilogues will start as early as on 24 June and according to EU diplomats will be completed at the earliest by the end of the year. Following a transition period of two years, the reform could then enter into effect in 2018 at the earliest. The GDPR would then replace the current Federal Data Protection Act.
V. Effects on German data protection standards
We expect the current German data protection standards to be essentially maintained. The provisions regarding the handling of personal data will, however, in future be laid down in new Europe-wide legislation. While this new legislation will introduce some innovations, EU legislators have in many points been guided by the existing German data protection provisions.