On 10 October, the EU Council of Ministers met once again to discuss the proposed General Data Protection Regulation. On the agenda was also the somewhat sensitive issue of how to deal with the European Court of Justice's (ECJ) ruling regarding the "right to be forgotten."
It's coming, just not right now
Regarding the proposed regulation, focus was on the provision of Chapter IV, which deals with the general obligations incumbent upon the data controller and data processor; i.e., data protection by design, data security, documentation requirements, etc. While the negotiations generally showed broad support for the text, numerous ministers felt compelled to underline that no single part of the proposal is agreed until every part is agreed.
Basically, the provisions of the proposal are so interlinked that many are reluctant to let one part go before they know how every other part looks. Not the most effective way of negotiating one might think but at the end they will get there.
Who wants a Data Protection Officer?
Among the more interesting aspects of the text discussed in the Council—and in spite of what some observers have been stating—the Council wants to make the appointment of Data Protection Officers (DPOs) voluntary. This, combined with the somewhat wide reaching protections in the proposal (which make it difficult for organisations to dismiss the DPO) and the fact that many of the previously proposed incentives for organisations to appoint a DPO have been removed, may actually make the appointment of DPO less attractive and therefore less likely. This fact actually prompted one member state to note that this may not be the best way to approach this issue and that further discussions may be needed.
Indeed, this specific issue has been marked as something which the Council has yet to agree a final position on. So maybe all the budding DPOs out there still have reason to be hopeful. In any case, it appears unlikely that Parliament will support anything likely to substantially limit the use of DPOs.
The takeaway
The general takeaway from the negotiations was that while several member states still have reservations, particularly in regard to the administrative burdens imposed on small and medium businesses, general agreement was achieved in regard to Chapter IV. However, it was expressly noted that this agreement did not signify that the current EU presidency (held by Italy) was mandated to begin even informal discussions with the European Parliament about the final text.
So, even though the Commission as always tried to put the most positive spin possible on the outcome of the meeting, there is still some way to go before Council is ready talk to Parliament.
At the end of the day, the most important lesson learned was that the reform has cleared the political intermission created by the election of a new European Parliament and the appointment of the new Commission. And while the latter has yet to take office it is already clear that the new Commission will have no intention of easing off the pressure to get the reform passed.
In essence, the reform now appears unstoppable and fundamental changes to the scope and legal form of the proposal are becoming increasingly unlikely. Thus, the member states still calling for the regulation to be change to a directive—meaning each member state has to legislate generally on data protection, as is the case today—appears to have a very steep climb ahead of them. In fact, as previously noted the compromise appears to be that sufficient "flexibility" is incorporated into the proposal, in essence undermining one of the original objectives of the proposed regulation; i.e., to harmonize rules across the EU. Sometimes the best way to make sure everyone wins is to make sure everyone loses a little.
Lest we forget
On the matter of the so-called "right to be forgotten" it was clear that a number of member states have a somewhat conflicted relationship with the principle. On the one hand, these and other member states expressed general support for the principle; but on the other, they appeared to have a hard time accepting the fact that the Court's ruling clearly gave precedent to the right to data protection even over the right to freedom of expression. It even got to the point where the head of Council's Legal Service felt obliged to intervene in order to stipulate that the ruling in fact was not just the Court's view in regard to the case in question but rather a ruling on the principle. He also made it clear that as the law now stands, the right to data protection has been given at least some form of primacy over other rights.
This point may be correct but it will certainly not be welcomed by the several member states whose constitutions and legal traditions provide specific and wide protections to other rights, which may clash with the right to data protection, including especially the freedom of expression. How this matter is resolved in the course of the ongoing negotiations regarding the proposed regulation, and indeed whether it can be solved, will be interesting to follow.