Shortly before Christmas a new draft version of the Data Protection Regulation was released by the Council of Ministers. The text is still being debated but this certainly shows the direction the ministers are heading in, so is worth some analysis.
Once it is approved, this will become the third version of the law, following on from the original produced by the Commission in 2012, then the one approved by the parliament in 2014.
Once the Council version is finished, there will then be a final trilateral negotiation to reach the final piece of legislation. Comparing this latest Council draft with the version produced by the Parliament in particular gives some indication of how difficult that negotiation might be, and therefore how long it will take.
Definition of Consent. The council text weakens consent by removing the requirement that it must be ‘explicit’, preferring the use of the term ‘unambiguous’, a significant departure from both the Commission and Parliament. Although all texts support the interpretation in Recital 25 that consent should be indicated by ‘affirmative action, the Parliament further strengthened this by adding that ‘mere use of a service’ should not constitute consent.
This issue is particularly relevant to web services, which often seek to rely on continuation of browsing a site as an indicator of consent to privacy practices. The traditional alternative is putting some mechanism in place to require users to signify consent – such as tick boxes. However this can put some people off from using a service by creating a barrier to entry, or lead to ‘consent fatigue’ – where they blindly agree to terms and conditions they haven’t read.
We have seen this battle played out before – most recently with the consent requirements in the cookie law. I think it is safe to say that this is going to continue to be a key battleground right down to the wire.
Information Requirements. Allied to consent is the need to provide information so that data subjects can understand what it is they are consenting to. Here the Council text is far less prescriptive than the Parliament one, which sought to create a highly standardised format for information notices, with clear and consistent language and iconography. The aim was to find a model that would make privacy notices easier to understand, which many have argued is a highly laudable goal. However the format of the notice, and especially the design of the icons, was not well received in the design community in particular.
Data Protection Impact Assessments and Data Protection Officers. The Council has embraced the ‘risk based approach’ to data protection, and this is nowhere more clear in the modifications to the requirements for carrying out Data Protection Impact Assessments and employing DPOs. The Parliament version of the text is prescriptive in its requirements, with DPIAs and DPOs being required in most circumstances, with exceptions for small business and small scale data usage. By contrast the Council makes DPOs voluntary for most organisations and requires DPIAs only for ‘high risk’ data processing activities.
Whilst this may lift administrative burdens in many circumstances, it also leaves much greater room for interpretation, especially around what constitutes ‘high risk’, and this potentially results in greater uncertainty and widely differing practices, which in turn could lead to weaker consumer protections.
Harmonisation. One of the original stated goals of the Regulation was to harmonise both rules and practices across the EU – creating a level competitive playing field and contributing to the Digital Single Market initiative. This idea is particularly attractive to multi-national operators – but one of the hardest to deliver, because it reduces the authority of individual countries through their national regulator.
That makes it a highly politicised issue. True harmony might weaken rules in one country, whilst strengthening them in others, and this has resulted in objections to the same wording, but for very different reasons – Germany and the UK being prominent examples. The Council text has a number of provisions in it which appear designed to increase the autonomy of individual country regulators in comparison with the Parliament and Commission texts, leading to a weakening of the ‘one stop shop’ principle.
Also of significant interest in this draft are the sheer number of notes indicating the continued concerns of individual member states. This tells us that agreement on this document may still be a long way from being reached.
January 2015 saw the start of the 6 month Latvian presidency of the EU, and whilst they have put getting a final position from the Council as their top priority, the continuing differences have already led prominent MEP Jan Albrecht, who led the Parliament work on the legislation, to predict that we won’t see finalisation of the Regulation much before the end of this year.