Data protection reform takes a business-friendly turn | DMA

Filter By

Show All

Connect to


Data protection reform takes a business-friendly turn

A more business-friendly draft of the Draft Protection Regulation emerges as the Irish presidency of the Council of Ministers draws to a close. The Irish Government has tabled a revised draft of Chapters 1-4 of the Data Protection Regulation, which will reassure direct marketers and any businesses that collects or processes data.

Chapters 1-4 in the draft Regulation are crucial in the data protection debate as they contain the fundamentals of the reform package:

  • The data protection principles
  • The rights of individuals
  • The obligations of data controllers and data processors.

5 key changes in draft text for direct marketers

1. The right to data protection is not an absolute right but must be balanced with other fundamental rights, including the freedom to conduct a business, in a proportionate way.

2. Direct marketing is recognised as a legitimate interest in the collection and processing of data. This allows businesses to use legitimate interest as a legal basis for processing personal information, along with preventing and monitoring fraud and pseudonymising personal data.

3. Unambiguous consent replaces explicit consent. Marketers won’t have to use an opt-in tick box to obtain consent. Individuals could give consent orally, in writing, and browser settings or other application where this is technically feasible and effective.

4. Compulsory appointment of a data protection officer (DPO) left at the discretion of individual Member States. The UK Government has a track record of doing the minimum required to comply with EU data protection legislation so UK businesses probably won’t be required to appoint a dedicated DPO. Even if the UK Government did go for the appointment of a DPO, the Irish draft text allows businesses to appoint somebody who was already working in a legal or compliance or IT security function. This is because the draft text clarifies that the DPO can fulfil other obligations, provided there is no conflict of interest.

5. A risk-based approach to data security breaches notifications. Businesses won’t have to notify individuals of every single data security breach, especially if there is little or no risk to personal data. If, for example, the data controller implemented technological protection measures to make sure the data was anonymised and those measures were applied to the data affected by the data security breach, there would be no need to notify the individual about the breach. Other obligations on data controllers and data processors in Chapter 4 make reference to a risk-based approach. So the requirement to carry out a data protection assessment is only required where any processing operations are likely to present specific risks.

EU’s reaction to proposed changes
EU Ministers generally endorsed the revised Irish draft but say they need to see the whole text of the draft regulation once the Council of Ministers have finished all their revisions before they can agree any part of it. This is because there is so much interlinking between the various chapters in the draft Regulation.

European vote on draft reform delayed again
The vote on the compromise amendments in the Committee was due to take place in early July but has now been put back to September. This means that the plenary vote in the European Parliament is likely to take place in October.

What’s happening behind the scenes?
The European Parliament needs to approve the draft Regulation and is working on its own version of the draft Regulation completely separate from the draft text produced by the Irish Government.

Lead negotiator for the draft legislation, German Green MEP, Jan Albrecht, produced a draft set of amendments in January of this year. Other MEPs were given the opportunity to table their own amendments and they tabled over 3,000.

The Civil Liberties Justice and Home Affairs Committee is now looking at the 3,000 amendments to see whether it can produce a set of compromise amendments which the MEPs can approve in a first reading plenary session.

A public dispute has erupted between Baroness Ludford (a UK Liberal Democrat MEP who is leading the work of the Liberal Group in the European Parliament) and Albrecht. It follows an interview that Albrecht gave to complaining about the time the Committee is taking to discuss the draft compromises. In her public reply Ludford says that this is due to the lack of infrastructure to support the Committee. Ludford also points out that the draft compromises Albrecht is putting forward fail to reflect what he knows to be the weight of opinion. She also calls on Albrecht to accept the responsibility arising from some of his drafts containing unworkable or unclear language.

There is still a lot of work for the Council of Ministers to do if the Regulation is going to be passed by Easter 2014, before the European Commission and the European Parliament come to the end of their respective five-year terms of office.

In the words of Viviane Reding, European Justice Commissioner: “The Council of Ministers and the European Parliament will need to move up a gear if they want this reform to happen sooner rather than later. The clock is ticking for international competitiveness.”

What next?
Lithuania takes over the Presidency of the European Council of Ministers on 1 July and the Government has already admitted that it does not have the knowledge or resources to progress the draft Regulation. Several Member States (including the UK) have offered their assistance, rather than the Lithuanians relying on the European Commission.

James Milligan, Solicitor, DMA

Hear more from the DMA

Please login to comment.