In today’s Justice and Home Affairs (“JHA”) Council meeting (see here), the Council of Ministers of the EU agreed the Council’s long-awaited common approach on a revised text of the proposed General Data Protection Regulation (“GDPR”). The Presidency of the Council of the EU had published a compromise text for approval by the JHA Council last Thursday, June 11 (the text can be downloaded here).
The Council’s vote fires the starting gun for three-way negotiations between the European Parliament, the Council and the Commission (the so-called “trilogue”) to reach an overall agreement on a final GDPR text. Once passed, the GDPR will bring about a major reform to the EU’s general data protection regime.
The largest political group in the European Parliament (the “EPP”) has released a tentative timetable for the GDPR trilogue, with two meetings scheduled before the summer break. In the first (previously foreseen for June 24, but reportedly brought forward to June 21), the parties will try to agree, among other things, on an overall roadmap for the trilogue discussions. A second meeting, potentially on July 14, may discuss territorial scope and international transfers.
The EU’s legislators are targeting the end of 2015 for the adoption of the GDPR (reconfirmed at today’s JHA meeting), meaning that the GDPR could possibly come into force in late 2017 or early 2018 (after a transition period likely to last around two years).
The Council vote marks the end of an intense push over the past few months to agree on a draft at Council level. It comes more than a year after the Parliament finalized its own position, and three years in total since the Commission’s publication of the underlying proposal.
As of July, the Council will be represented by Luxembourg in the negotiations, which assumes the rotating Presidency of the Council for the next six months. The Parliament’s negotiating team, meanwhile, will continue to be led by Jan Philip Albrecht, a Green party MEP from Germany with overall responsibility for the GDPR in the Parliament.
Broadly speaking, the Council has tended to take a more business-friendly approach on a number of issues than the Parliament, and the Council text differs from the original Commission proposal in a number of areas, including:
-
the lawfulness of processing, in particular further processing and formalities around obtaining consent;
-
the degree to which each EU Member State should be allowed to maintain or introduce more specific provisions or further conditions in their own national laws;
-
transparency requirements;
-
the rights of data subjects, such as the right to object to use of data, the right to be forgotten, and the right to ‘data portability';
-
controllers’ and processors’ obligations, and the attribution of responsibility between them; and
-
the powers of supervisory authorities, the “one-stop shop” mechanism and the role of a new European Data Protection Board.
Despite a number of proposed changes to the chapter on Remedies, Liability and Sanctions, the text proposed by the Luxembourg Presidency for approval did not change the level of the fines as proposed by the Commission in its initial proposal.
Given the discrepancy between the positions of the Council and of the Parliament in a number of areas, it is difficult to predict the outcome of the trilogue. Moreover, following the Parliament’s elections in May last year, the Parliament has a different make-up to the one that agreed the Parliament’s GDPR draft, further adding to the uncertainty over the parties’ priorities and positions for trilogue.