Informal Justice Council
Member states would strengthen data protection in their own way
By Nathalie Vandystadt in Nicosia | Tuesday 24 July 2012
The 27 EU member states all agree on the need to revise Community rules on personal data protection – which date from 1995 – to adapt them to the age of the internet. Meeting on 24 July in Nicosia, with Cyprus chairing, the justice ministers nonetheless redefined the European Commission’s ambitions.
A flagship issue for Justice Commissioner Viviane Reding, this draft regulation imposes new data protection rules on both the public and private sectors, in the interest of European consumers but also in the interest of companies, which would be bound by a single legislation rather than 27 different laws in Europe (see box). This could lead to savings of “€2.3 billion a year,” said Reding after the meeting.
After months of inaction, the ministers entered into the heart of the subject at this meeting. They focused on three points.
The first was the treatment of small and medium-sized enterprises (fewer than 250 employees, according to the Commission’s definition). The United Kingdom, staunch supporter of companies, was critical of excessive bureaucracy. But most member states agree that the distinction between large enterprises and SMEs is not relevant enough. To prevent imposing further administrative costs, the EU executive proposes to exempt SMEs from having to appoint a data protection manager and to impose lighter sanctions for breach of the rules. On the other hand, if the SME’s main activity is the processing of personal data, it will be bound by the same rules as large enterprises. The ministers wish to be even more precise, pointing out that SMEs can also be specialised in the processing of medical data, such as a registry of doctors, or handle sensitive data that reveals sexual orientation, for example.
The second point of discussion was whether there should be an exemption for the public sector. Germany gave in a bit, siding with the majority of states. Rather than seeking an exemption or special rules for the public sector, the majority want “more flexibility” to take account of the national characteristics of public services. Germany - whose federal and regional (Bavaria) authorities jealously guard their own data protection rules, given the historical sensitivity of the subject - wishes to be able to go further than the EU rules. London and Budapest were most opposed to inclusion of the public sector, but without going as far as asking for special rules. London argued that it is not the Commission’s role to interfere in its public sector. In contrast, France, Ireland, Luxembourg and Lithuania were apparently most in favour of applying similar rules to the public and private sectors. The Commission, pleased to see that a pure and simple exemption for the public sector is not on the agenda, intends to be flexible on data related to the social security system.
The third subject of discussion was what the EU calls ‘delegated acts’. The Commission proposed around 50 delegated acts with the aim of simplifying the regulation and adapting it to technological advances. The scope of these acts, which would enable the executive to adopt decisions without having to go through the burdensome procedure of co-decision between member states and MEPs (although they will have their say), would be limited to non-essential elements of data processing. This would include, for example, adaptation of the standard form with which public and private enterprises will have to inform consumers of the reasons for collecting their data and how they will be processed. “No one challenged the usefulness of delegated acts,” said a Commission source. Already accused of excessive bureaucracy, the Commission warns against a “regulation of more than 300 articles” if the delegated acts should be deleted. The member states nevertheless have the feeling that the Commission is trying to take on more powers. Apart form Ireland, all states want to “drastically reduce the list of delegated acts,” reviewing them case-by-case, according to a Council source. “We have to be sure that the Commission is the right player when it comes to reacting to technological changes,” noted the British delegation ironically.
Three member states (Lithuania, the Czech Republic and Hungary) adopted a marginal position, arguing for a directive to be implemented by each member state, rather than a regulation. However, the Commission proposed a regulation specifically so that, once adopted, it will apply automatically to the 27 EU member states. This is one way of responding to those who accuse it of creating too much bureaucracy. The regulation will apply to all public and private enterprises that operate in the EU, whether European or not, like Google and Facebook.
Nicosia’s goal is to advance. It will be for Ireland, which will take up the EU Presidency in January 2013, to secure an agreement in principle in the Council. Dublin has already made this matter a priority.
New rules proposed
First, the text increases transparency by providing that those in charge of data processing must provide clear and transparent information (reasons for collecting data, practical arrangements, right to complain) and, in cases of data breach, must immediately inform the control authority and above all the persons concerned. Another key aspect is the right to personal data portability, which gives the persons concerned the right to transmit their personal data to another data processing service provider in a common electronic format. The text defines in detail the right to be forgotten and to online data erasure. The draft legislation also strengthens the right to lodge a complaint, the right to appeal decisions of the data controller, the data processor and subcontractors, and establishes common rules concerning legal procedures.