This post was written by Cynthia O’Donoghue.
On 24 April 2013, the EU Presidency, currently held by Ireland, prepared a Note to the Committee of Permanent Representatives (COREPER) regarding the proposed General Data Protection Regulation (Regulation). The Note was leaked and published on Statewatch’s website. Statewatch is a civil liberties organisation. In the Note, the Presidency discusses “pivotal issues, the resolution of which requires political guidance,” including the scope of the Regulation and the requirement for “explicit”’ consent. The Annex to the Note proposes specific drafting amendments.
The Note focusses on five key issues:
- Material scope
- Territorial scope (or jurisdiction)
- Data processing principles
- Freedom of expression and access to public documents
The proposed Regulation excludes data processing where the activity is outside the scope of EU law, and processing by EU institutions and law enforcement, both of which are considered problematic. Concern was also raised about the exclusion of household uses, which as drafted would exempt processing” by a natural person without any gainful interest in the course of its own exclusively personal or household activity.” Most delegations wanted the scope of the household exemption clarified, and the Presidency proposed a compromise extending the provision to all social networking and online activities carried on in the context of personal and household activity.
The Note acknowledged that the territorial scope of the Regulation is ambitious by seeking to govern “the offering of goods or services (…) to data subjects in the Union,” or “the monitoring of their behaviour as far as their behaviour takes place within the European Union.” The Presidency suggested setting out factors that can indicate whether a particular offer is aimed towards EU residents, even though many delegations questioned the practicality of such a wide jurisdictional scope, doubting whether non-EU controllers will be aware of and willing to comply with the Regulation.
The Presidency acknowledged that the proposed definition of consent is beyond that required under the 1995 Data Protection Directive, and many delegations view the new requirement for explicit consent as unrealistic and of little value, especially on the Internet. The Presidency proposed replacing “explicit” with “unambiguous” for all non-sensitive personal data, and removing the exclusion of consent obtained in relationships with an imbalance of power, because it would lead to legal uncertainty.
While the Presidency noted that the data protection principles are largely the same as those within the 1995 Directive, a new principle of data security and confidentiality was added, and consequently there should be further discussion in light of processing of data for historic, statistical, or scientific or archiving purposes.
Lastly, the Presidency suggested adding articles enabling Member States to reconcile the right of data protection with the other fundamental rights of freedom of expression and freedom of information.