EU Data Protection Regulation: 2015 the year of reckoning?

The Justice and Home Affairs Ministers reached a partial agreement on chapter 4 of the draft Data Protection Regulation (the obligations of data controllers and processors) at their meeting on 10 October and they are taking a business-friendly, risk-based approach.

How this affects the one-to-one marketing industry
Chapter 4 is a key part of the draft Regulation and deals with the general obligations of data controllers and processors, data security, data protection impact assessments and prior consultation, data protection officers, codes of conduct and certification.

What this partial agreement means in Brussels
As it is only a partial agreement Justice and Home Affairs Ministers do not have the power to enter into three-way negotiations with the European Commission and the European Parliament to agree a final version of the Regulation.

The partial agreement also means that the Ministers can revisit this chapter once they have agreed the rest of the Regulation. It is important that they are able to do this as this chapter is strongly linked to other parts of the draft Regulation, for example the chapter on sanctions and fines.

Risk-based approach builds on work of the Irish Presidency
Overall, the national delegations from the Member States welcomed the agreed text. It contains a risk-based approach, building on the work of the Irish Presidency on this topic in 2013.

Under the risk-based approach organisations dealing with personal information have to take greater obligations, for example to protect personal information, if the individual would suffer a high level of harm if that personal information was lost or stolen.

This approach represents a good balance between protecting personal data and safeguarding the freedom of entrepreneurship. In essence, the risk-based approach is a more business-friendly approach than that of the European Parliament version of the text as it balances the obligations of organisations handling personal information with the type of personal information.

Italians try to get agreement on the one-stop shop mechanism
The Italians will spend the rest of their Presidency, which ends in December, trying to get agreement on the one-stop shop mechanism. This would allow businesses to deal with one national data protection authority in the EU (the one where it carries out its main data-processing activities).

Member States are finding it difficult to agree on how great a role other national data protection authorities should have in the process. For example if a French citizen had a complaint about a UK-based business, the UK national data protection authority would deal with it. However, should the the French national protection authority have co-decision rights with the UK national data protection authority or only be consulted?

Ministers prepare to tackle right to be forgotten in January 2015
The Justice and Home Affairs Ministers will continue work on chapter 3 of the draft Regulation dealing with the rights of individuals in the New Year under the Latvian Presidency. This section contains profiling and the right to be forgotten, which are key issues for data-driven, one-to-one marketers. Much of the work will be carried out by civil servants from the Member States in their working group meetings.

New Data Protection Regulation could be passed by late 2015
There is now real political momentum to get the Regulation agreed in 2015.The Justice and Home Affairs Ministers will reach agreement on the whole text of the draft Regulation by June 2015 at the latest, possibly before a heads of government summit meeting in March 2015. This will mean that the three-way negotiations with the European Parliament and the European Commission to agree a final version of the text will start in the second half of 2015. The Regulation will therefore be passed in late 2015 or early 2016 meaning that it will have to be implemented into UK law by late 2017/early 2018.

The DMA will continue to keep members updated of developments on the DMA website and in the Data protection toolkit.