Steve Peers

The year 2015 is not living up to the futuristic vision presented in the Back to the Future films, particularly with the absence of hoverboards (drones are a disappointing alternative). Instead of establishing a data protection framework suitable for 2015, the Council seems poised to agree on maintaining the core legal principles from 1995 – which are outdated in the context of technology law.

Background

Negotiations regarding the EU’s proposed General Data Protection Regulation appear to be nearing their final stages within the Council. This week, Member State ministers within the Council are anticipated to reach an agreement on two additional sections of the proposed Regulation. These sections address the fundamental principles of data protection and supervisory authorities, including a centralized ‘one-stop shop’ for data protection oversight.

The Council had previously come to agreements on three other parts of the Regulation, encompassing rules on territorial scope, public interest exceptions, and the roles of data controllers and processors. If the proposed texts on data protection principles and authorities are approved this week, the Council’s primary remaining task will be to finalize the Regulation’s scope, definitions, data subject rights (such as the right to be forgotten), and related individual remedies.

This blog post focuses specifically on the fundamental principles of data protection. While the Commission’s proposal recommended moderate modifications to the existing data protection Directive, the European Parliament (EP) aims for more substantial changes. However, the Council’s stance leans toward minimal alterations to the current framework. If the Council prevails in this aspect of data protection law, the EU’s extensive legislative reform process would result in minimal change.

Details

Currently, the Data Protection Directive’s initial article (Article 5) appears to grant Member States significant leeway in implementing the Directive. However, the CJEU effectively diminished this clause’s significance in its ASNEF judgment, emphasizing the importance of uniform interpretation. Although the new Regulation aims to eliminate this clause, the Council, in particular, proposes reintroducing provisions that defer to national law, making the future Regulation somewhat resemble the current Directive.

The fundamental data protection principles put forth by the EU institutions are largely consistent with the existing Directive: fair and lawful processing, purpose limitation, data minimization, accuracy, and storage minimization. Proposed changes include incorporating ’transparency,’ explicit protection for archiving and scientific purposes, and the inclusion of data security. The EP also suggests listing ’effective protection of rights’ as a principle, promoting a ‘privacy by design’ approach by embedding procedural rights within the system.

The grounds for processing personal data, based on the current Directive, are also outlined in the proposal: consent, contract, compliance with legal obligations, vital interests of the data subject, public interest or official authority, or legitimate interest of the controller or a third party. This last ground, crucial for the private sector in the absence of consent or a contract, has been subject to varied interpretations in case law.

Proposed amendments to these grounds include: consent for specific purposes; extension to vital interests of another person (according to the Council); consideration of children’s interests regarding ’legitimate interests’; and removing the possibility of third-party legitimate interests as grounds for processing (proposed by the Commission, opposed by EP and Council). Notably, the EP seeks to add a provision linking such private interests to the data subject’s ‘reasonable expectations.’ The Council also wishes to maintain the current ‘unambiguous consent’ requirement, while the EP and Commission aim to remove it.

Significant differences emerge regarding changes in data processing purposes. The Commission proposes permitting purpose changes based on the initial processing grounds, except for the controller’s legitimate interests. Conversely, the Council supports allowing purpose changes based on any initial ground, while the EP opposes expressly allowing any incompatible processing. The Council’s position significantly weakens the purpose limitation principle.

One notable change is a defined definition of consent. All institutions concur that data controllers must demonstrate consent, with the Council proposing the use of clear language and the EP suggesting that relevant contractual terms should be void. They also agree on explicitly granting data subjects the right to withdraw consent. The Commission proposes rejecting consent in cases of ‘significant imbalance’ between the data subject and controller, and the EP wants to invalidate contract terms unnecessary for service provision. However, the Council entirely rejects these protections for data subjects.

Another significant change is a specific rule concerning children. The Commission suggests that information society services should obtain parental consent for children under 13. However, the Council’s version defers to national contract laws without specifying an age. The EP proposes broadening the clause’s scope to all goods and services and adding a plain language requirement.

The proposed Regulation largely retains the prohibition on processing sensitive personal data (e.g., racial origin, political opinions). All institutions agree on adding ‘genetic data,’ with the EP and Commission also proposing criminal convictions. However, this ‘prohibition’ is somewhat misleading, as both current and proposed regulations allow processing on various grounds. The Council aims to expand these grounds further.

Finally, both the EP and the Council want to reinforce the rule exempting data controllers from obtaining additional data for identification purposes solely to comply with data protection law.

Comments

In essence, the Council’s likely version of the Regulation presents only minor changes compared to the existing framework: new principles of transparency and security; a defined definition of consent; a largely symbolic clause on children’s consent (deferring to national law); and a slightly expanded list of sensitive data and exceptions to its processing.

The EP’s proposed changes are more substantial, including: a new principle of effective exercise of rights; adjustments to the balance between data subject and controller interests; limitations on incompatible further processing; restrictions on questionable contract terms; strengthened children’s rights; and a broader definition of sensitive data.

Despite the attention given to this proposed legislation, the Council’s changes are minimal. Key differences between the EP and the Council lie in balancing corporate interests and individual privacy rights, with companies seemingly influencing the Council to preserve the status quo and privacy advocates persuading the EP to push for greater individual protections. The upcoming negotiations between the EP and the Council will determine whether the new rules will bring meaningful change or merely repackage existing practices.