Partial general approach reached on data protection

JHA Council agrees partial general approach on chapter IV of the general data protection regulation

By Dods EU Political Intelligence

Leading provider of EU parliamentary and political intelligence, delivered by an expert team of specialist researchers

10 Oct 2014

@dodseupolintel

Please note that this does not constitute a formal record of the proceedings of the meeting. It is dependent on interpretation and acts as an unofficial summary of the debate.

On October 10, the Justice and Home Affairs Council agreed on a partial general approach on chapter IV of the general data protection regulation, which deals with the obligations for data controllers and processors. This partial general approach is conditional on the provisions made by the Italian Presidency: nothing is agreed until everything is agreed and does not exclude future changes to be made to the text of Chapter IV; it is without prejudice to any horizontal question and it does not mandate the Presidency to engage in informal trilogues with the European Parliament on the text. Apart from the UK, whose representative argued that the UK does not support the concept of partial general approaches, and Finland which has finalised its national position on chapter IV yet, all national representatives agreed on the partial general approach.

Overall, the delegations welcomed the risk based approach and argued that the text represents a good balance between protecting personal data and safeguarding the freedom of entrepreneurship. Commissioner Reichert and several national representatives welcomed the introduction of an exception for SMEs in article 28 regarding maintaining a record of personal data processing as this could be a cumbersome task. France however warned against broadening this exception too largely. Belgium France, Czech Republic and the UK also expressed their reservations regarding the definition of a high level of risk.

The representative of the Italian Presidency argued that the Presidency wanted to aim to close Chapter IV on data controllers and processors and explained that this chapter was also discussed under the Irish Presidency. Everything that can be achieved is built upon the foundations built during the Irish Presidency, he said. He explained that the partial general approach`s conditions are: nothing is agreed until everything is agreed, no prejudice to horizontal issues and it does not give a mandate to start informal negotiations with the European Parliament.

Martine Reicherts, Interim-Commissioner of Justice, Home Affairs and Citizenship,  thanked the Presidency for the work done so far. She argued that it is a good compromise which respects the essence of the Commission proposal. She underlined three aspects: the Commission supports the approach based on two levels of risk: a general level and a high level that would only apply to certain operations. In addition, foreign undertakers will have to nominate a representative within the EU. She also welcomed the fact that a new form of words was proposed that grants an exception to some undertakings. Companies that work regularly in the EU however will have to assign a representative. Finally, she welcomed the introduction of an exception for SMEs regarding the obligation to contain a record of categories of data protection activities per category. SMEs need a preferential treatment, she said, and the exception is in line with the risk based approach. She said she hopes an agreement can be found.

The representative of Germany said that Germany can agree on chapter IV, subject to the conditions mentioned by the Presidency. He also said a statement was circulated among the ambassadors.

The representative of Belgium said that Belgium regretted the definition of a high level of risk. He said it is not clear and is the key element for Belgium in this chapter. However, Belgium might come back to this during the trilogues negotiations. In terms of the public sector, he said Belgium is concerned about this and will get back to this during the horizontal debate. Finally, he argued that positive progress has been made on the chapter and it reflects a good balance, therefore Belgium is happy to support the partial general approach. It can lift all of Belgium`s reservations.

The representative of Spain said that it is a reasonable text with solutions. He also thanked for the fact that the Spanish proposal on certification bodies was taken on board. Spain does not have substantial objections and therefore agrees with the partial general approach.

The representative of Finland said Finland welcomes the progress made. Chapter IV needs to be seen as a whole and it is going in the right direction. There is a right balance between the protection of personal data and the obligations of controllers.  Nevertheless, Finland has not officially finalised its national position on chapter IV. Nothing is agreed until everything is agreed, she said.

The representative of the Netherlands argued that it is a well-balanced proposal and the obligations are only justified if the risk involved in the processing justifies that. There is also a clear explanation of what risk involves and that gives clarity and companies the necessary freedom. He welcomed the balance between the freedom of entrepreneurship and protection of citizens` data. He mentioned however the administrative costs linked to the regulation and said that one must continue to focus on the administrative costs when negotiating other chapters, he said.

The representative of France said that France supports chapter IV. Moreover, France expressed a number of wishes which were taken on board. In a spirit of compromise, she said that France believes the result is enough and will support it. This will also help to work towards the timeline that was set by the European Council. She pointed out however that a distinction is needed between generic risk and high risk; the definition of high risk is not good enough, she said. She also said that article 25 will help respect the principle of extraterritoriality. She said France believes one has to be careful in terms of the scope of exception for keeping data records, referring to the exception in article 28 for SMEs. Despite these reservations, France approves chapter IV.

The representative of Ireland stated that Ireland is happy that appropriate risk based principles have been incorporated. He pointed out that efforts were made during the Irish Presidency and other Presidency to achieve progress. Ireland also welcomes the exception for SMEs as they are essential for the recovery of the economy.

The representative of United Kingdom said that the UK supports the broad approach, in particular strengthening the risk based approach and the introduction of risk triggers. He said that it offers a better balance between the right conditions for innovation and economic growth and personal data protection. Nevertheless, the UK is still reserved regarding the definition of high risk. In terms of article 25 on the designation of a representative, he stated that the threshold is too low. Moreover, the requirement to carry out an impact assessment should be limited to cases where a high risk is inherit.

Furthermore, he stated that articles 33-34 might result in damaging consequences. There might be instances where the public interest demands that the processing of data is done immediately and referred to the Ebola outbreak in this regard. He underlined that it is vital that it is possible to carry out data processing. The UK does not accept the concept of partial general approaches and hence reserves the right to return to chapter IV at a later point in the negotiations.

The representative of Latvia said Latvia supported the partial general approach on chapter IV. He added that in order to improve the regulation, solutions have been found to reduce the administrative burden.

The representative of Austria argued that Austria does not wish to block consensus and has no fundamental objections to agreeing on chapter IV. He pointed out that it is important to have a distinction between the different levels of risk and Austria believes it is pivotal that high risk processing is subject to compulsory consultation of the supervising authorities. Therefore, they circulated a written declaration that refers to those issues and indicates how Austria believes this can be resolved. Subject to the conditions mentioned in the documents and terms of the declaration, Austria supports the partial general approach.

If you are interested in reading the full briefing, please sign up for a free trial of the Dods EU Monitoring service.

Read the most recent articles written by Dods EU Political Intelligence - REPORT: What are the EU’s policy plans for the rest of 2022?