This post was written by Cynthia O’Donoghue.

The Council of the European Union has published a new review detailing comments on the draft proposal for a General Data Protection Regulation (“Draft Regulation” or “Regulation”). Building on comments made in the DAPIX document, the review contains comments from each EU Member State with suggested changes to the first and second chapters of the Draft Regulation.

Most of the Member States commented on the excessive number of delegated acts which allow the European Commission considerable powers of discretion, and many sought to delete some, if not all, of those delegated acts. Other general comments focused on the territorial and material scope of the Regulation and the fact that some Member States would have preferred a directive (requiring national implementing legislation) to a regulation (direct effect).

Many of the Member States highlighted similar issues with Articles 1-10 of the Draft Regulation, namely:

  • In relation to Article 1 (subject matter and objectives), revision or deletion of paragraph 3 as its impact could reduce the scope of the right to protection of personal data.
  • Frequent comments on Article 2 (material scope) paragraph 2(2)(d) are that the exemption does not take into account the ECJ judgment in Lindquist, where data is made available on the Internet; that the exemption under 2(2)(b) for EU institutions, bodies, offices and agencies should be deleted; and that the concept of ‘national security’ in 2(2)(a) is too vague.
  • The extension of jurisdiction in Article 3 (territorial scope) outside of the EU was considered unworkable and potentially unenforceable.
  • A change to the definition of ‘personal data’ in Article 4 to include anonymised and/or pseudonymised data, and that the definitions of genetic data, biometric data and data concerning health, were all too wide.
  • Article 5 (principles relating to personal data processing) should give greater consideration to the use of pseudonymised data, and that paragraph (f) was considered too general and imprecise, thus creating an excessive liability on a data processor.
  • Most Member States had drafting issues or additions to Article 6 (lawfulness of processing), including in relation to processing for ‘legitimate interests’.
  • Member States welcomed the provision that the controller shall bear the burden of proof for obtaining the data subject’s consent in Article 7 (Conditions for consent), although some questioned the form of consent required.
  • Almost all of the Member States had issues with the intended scope of Article 8 (Processing of child personal data), questioning how controllers are supposed to identify and verify the age of children online, and may interfere with national age limits and systems.
  • In relation to Article 9 (processing special categories of data), Member States questioned whether consent was required in all cases and whether ‘beliefs’ was considered to be too wide.
  • Most Member States had reservations around the wording of Article 10 (Processing not allowing identification), either querying its necessity or questioning its meaning and opting for its deletion.

The document will be discussed in greater detail in our upcoming Client Alert. We will issue Part 2 when the next stage of the review is published.