General Data Protection Regulation: Moving forward, slowly
The discussions in the EU on the proposal for a General Data Protection Regulation (GDPR) are slowly advancing, but the final destination is still unknown. Commissioner Věra Jourová , who is responsible for Justice, Consumers and Gender Equality and has the task of ensuring the “swift adoption of the EU data protection reform”, has stated that EU Data Protection reform “is a win-win for consumers and businesses”, and that the red lines of the 1995 Data Protection Directive will remain untouched. However, latest developments in the Working Party on Information Exchange and Data Protection (DAPIX) have brought to the GDPR text new changes that may erode Jourová’s optimism.
In March 2015, EDRi published a set of leaked documents with the (then) latest texts from the EU Council. At the same time we published an analysis of the five main topics we thought were going below the safeguards that were set in the 1995 Data Protection Directive. Our analysis remains valid, unfortunately, for majority of the points we analysed, with some exceptions.
For example, Article 6 and recital 40 on lawfulness of processing of personal data have been touched in different ways. The list of requirements defining whether or not a further processing is compatible with the purpose the data was collected in Article 6 (3a) has become an open list with the insertion of the words “inter alia”. This makes it a broader definition which could add additional safeguards for the data subject. Going a bit further, Article 6.4 is likely to be deleted, since there seems to be a significant number of Member States that are pushing against it. This Article allows for “(f)urther processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”.
The “one stop shop” mechanism is also a matter of concern. The original idea was to simplify complaints, creating a single point of contact for citizens and businesses bringing a transnational complaint. It would also ensure consistent application of the Regulation through the European Data Protection Board (EDPB), eliminating the current common practice of “forum shopping”. Based on the leaked documents, the current proposed text from the Council on the “one stop shop” mechanism would add several levels of bureaucracy. In the case of a transnational complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. This could lead to a fragmented implementation of the Regulation as the oversight role of the Board would be greatly reduced. Both citizens and businesses would then be left without the benefits of a swift, predictable and harmonised “one stop shop” mechanism. Finally, data Protection seals (certifications) and binding corporate rules should all be subject to the one-stop mechanism, at least in transnational cases. Otherwise they will offer the possibility to bypass the Regulation.
In the lead-up to the start of the trialogue meetings on this topic, we can only mention a few of the major issues here. In a meeting of the European Data Protection Supervisor with civil society actors (including EDRi, EDRi members Access and Bits of Freedom, as well as BEUC, Code Red, and Privacy International, see video below) on 27 May, we addressed also problems with the definitions contained in the GDPR, the seriousness of having profiling back in the exceptions of Art. 21 after it was taken out by the Parliament, the need for citizens to be able to have access to effective collective redress mechanisms, and problems with the transfer of data to third countries, including the Safe Harbour agreement.
Data protection reform timetable (01.06.2015)
Latest consolidated text of the GDPR
Statewatch: LIMITE document from the Council on Article 6 and recital 40 (26.05.2015)
Other documents obtained by Statewatch are available at
EDPS meeting with civil society (EDRi, Access, BEUC, Bits of Freedom, Code Red, Privacy International)
Badly broken campaign: European data protection reform is badly broken (03.03.15)
(Contribution by Diego Naranjo, EDRi)