First EU data protection trilogue on June 24

The EU's Justice and Home Affairs Council today agreed its 'general approach' to the Data Protection Regulation. The Council version of the text appears to be better for the advertising and marketing sector in several key areas.

Now the European Commission, Parliament and Council have their versions of the text ready, trilogue (three-way discussions) between them can begin. The first trilogue will take place on June 24 and marks a crucial stage to the process.

First impressions of the Council text are positive in five areas of particular concern to the industry. We will publish a fuller review shortly:

• Definition of Personal Data: The Justice and Home Affairs Council definition is preferable to the European Parliament’s one as in the Council definition online identifiers are only personal data if they can be linked to an individual. In the Parliament version of the text all online identifiers were personal data regardless of whether they could be linked back to an individual.
• Consent: The Council text is preferred. Both other texts refer to explicit consent, whereas the Council text has removed the word 'explicit'.
• Legitimate Interest: The Council text makes it clear that organisations can process personal information based on their legitimate interests provided they respect the rights of individuals in particular children and certain other caveats. This is much better that the Parliament text which gave a strong emphasis that processing based on legitimate interests was inferior to getting the individual’s consent. In the Parliament version of the text, Legitimate Interest including specific clauses for B2B marketing and postal direct marketing only. However, the new Council text includes the following: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest," which is broader.
• Automated Decision Making and Profiling: The Council have gone back to a definition of automated decision making (including profiling) which only applies where the decision is based solely on automated processing. If there is any review of the automated decision by a individual then this wall fall outside the definition of an automated decision. This is much more similar to the current definition in the 1995 Directive/Data Protection Act 1998 than the Parliament’s version.
• Right To Be Forgotten: Once again, the Council text seems preferable. The Parliament text reads that subjects should have the right to obtain erasure, "when a data subject objects to the processing of personal data". The Council text adds the words, "and there are no overriding legitimate grounds", which is preferred.

The UK, represented by Lord Faulks, supported the general approach but raised concerns on the one-stop-shop and the right to be forgotten.

In two parallel statements, one each from the European Parliament and Commission, the two bodies agreed the approach trilogue negotiations will take to thrash-out the final Data Protection Regulation.

Several other countries raised a number of concerns, including on Article 6.4 on legitimate interest and the scope of the Regulation. All these concerns will be taken into account during the trilogue process.

First to the Commission. Andrus Ansip, vice-president for the Digital Single Market, said: "I feel very encouraged by this positive step towards improved and harmonised data protection rules. Data Protection is at the heart of the Digital Single Market; it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing."

Vera Jourová, commissioner for justice, consumers and gender equality, described the agreement as an important step forward and a good basis for the trilogues. She is confident that negotiations can be completed this year, and that the Regulation will be a key building block of the digital single market, good for business and citizens.

"Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes. High data protection standards will strengthen consumers' trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year," she said.

The Council's position gives agreement with the Commission on the following:

• One continent, one law – the regulation will establish a single set of rules on data protection, valid across the EU. Companies will deal with one law, not 28. This will save businesses around €2.3 billion a year. In addition, the new rules will particularly benefit small and medium-sized enterprises (SMEs), reducing red tape for them. Unnecessaryadministrative requirements, such as notification requirements for companies, will be removed: this measure alone will save them €130 million per year.
• Strengthened and additional rights - the right to be forgotten will be reinforced. When citizens no longer want their data to be processed and there are no legitimate grounds for retaining it, the controller must delete the data, unless they can show that it is still needed or relevant. Citizens will also be better informed if their data is hacked. A right to data portability will make it easier for users to transfer personal data between service providers.
• European rules on European soil – companies based outside of Europe will have to apply the same rules when offering services in the EU.
• More powers for independent national data protection authorities – those authorities will be strengthened in order to effectively enforce the rules, and will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
• The 'one-stop shop' - the rules will establish a 'one-stop shop' for businesses and citizens: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business across the EU. Individuals will only have to deal with their home national data protection authority, in their own language - even if their personal data is processed outside their home country.

The Parliament also welcomed the news.

British Labour MEP and Civil Liberties Committee chair Claude Moraes, and rapporteur Jan Philipp Albrecht from the German Greens called for agreement in trilogues by the end of 2015.

"After over a year of stalling, it is encouraging that we can finally push ahead with the EU data protection reform and that Parliament can begin negotiations with the Council. The challenge is now to reconcile the two sides, to ensure that the reform provides reliable and high common standards of data protection, and reach an agreement on this before the end of the year.

"There are clearly differences, notably on consumer rights and the duties of businesses. However, if we can negotiate constructively and pragmatically, it should be possible to deliver a compromise acceptable to both sides within the timeframe. This outcome would benefit everyone and show that the EU takes the concerns of its citizens in the digital age seriously," said Albrecht.

Claude Moraes, who will be chairing the trilogues, called on the Council to agree the Data Protection Directive by October 2015 to allow the two proposals to be treated as a package.