EU: Data Protection Regulation: more trilogue documents
30 November 2015
is publishing more documents from the Council of the EU on the negotiations over the new Data Protection Regulation, currently the subject of trilogue discussions between the Council, the Parliament and the Commission. The documents include a note from the Presidency to Member States' delegations on "outstanding issues where further input is needed": data breaches, data protection officers and administrative fines, amongst other things.
Note from: Presidency to: Permanent Representatives Committee
: Preparation for trilogue
, 14605/15, 27 November 2015
(pdf): "The Presidency invites the Permanent Representatives Committee to focus the discussion on the following main outstanding issues where further input is needed."
The main issues highlighted, along with proposed compromise texts, are:
Data breaches (Articles 31 and 32): "Taking into account the original positions of both co-legislators, the Presidency considers the compromise proposed is fair, balanced and would allow the supervisory authorities to fulfill their tasks without overburdening controllers."
Data Protection Officer (Article 35): "The European Parliament insists on a mandatory Data Protection Officer to be appointed in certain cases. This is an essential element in view of finding an overall compromise on the Regulation. The Presidency proposes that a mandatory Data Protection Officer be appointed in the following limited situations: the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of the data subjects on a large scale; or - the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and data relating to criminal convictions and offences referred to in Article 9a."
Administrative fines (Article 79): "the Presidency proposes the following maximum amounts as a basis for negotiations with the European Parliament: - for Article 79(3) (new): not exceeding 1 000 000 EUR, or in case of an undertaking, 2% of its total worldwide annual turnover of the preceding financial year; - for Article 79(3a) (new): not exceeding 2 000 000 EUR, or in case of an undertaking, 4% of its total worldwide annual turnover of the preceding financial year; - for Article 79(3aa) (new): not exceeding 1 000 000 EUR, or in case of an undertaking, 2% of its total worldwide annual turnover of the preceding financial year."
Another document contains:
"[A] comprehensive version of the compromises tentatively agreed at the previous trilogues and the compromise suggestions by the Presidency. Text marked in brackets is considered to be still under final discussion, on which delegations may comment. This is in particular the case with provisions relating to the scope of the Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data."
See: Note from: Presidency to: Permanent Representatives Committee, Preparation for trilogue - whole Regulation, 14481/15, 27 November 2015 (pdf)
Another document raises further issues for discussion amongst Member States' representatives and suggests compromise texts. These concern "rules on dismissal of the members of the supervisory authority and on pensions rights or other benefits" (Chapters VI-VIII); exemption from liability and administrative fines (Chapter VIII); and the use of personal data "for archiving purposes in the public interest or for scientific, historical or statistical purposes."
See: Note from: Presidency to: Delegations, Technical follow-up to COREPERs of 19 and 26 November, 14462/15, 27 November 2015 (pdf)