European Parliament
Subscribe to European Parliament's Posts

Any Progress? The Draft Data Protection Regulation Celebrates its Third Anniversary

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.

The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.

It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.

The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.




Article 29 Working Party Defends BCR-P to European Institutions

On 12 June 2014, in a letter from the Article 29 Data Protection Working Party to the President of the European Parliament, the Working Party has defended, and urged the EU institutions to discuss, Binding Corporate Rules for Processors (BCR-P) in respect of the forthcoming EU General Data Protection Regulation.

In its letter, the Working Party clarifies its views on BCR-P, outlines the safeguards that BCR-P offer and addresses concerns that have led some to call for the dropping of BCR-P. The letter suggests that these issues should be covered during future trialogues between the EU Council, the European Commission (whom both received copies of the letter) and the European Parliament.

Background

Binding Corporate Rules (BCR) represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection. Broadly, BCR are legally enforceable corporate rules applied by company groups which, on the approval of the relevant national data protection authority, are deemed to ensure sufficient protection for international transfers between group companies.

In December 2011, the European Commission announced that BCR would be updated in the new EU General Data Protection Regulation. Whilst BCR only apply to data controllers, the Working Party is a proponent for BCR-P (which apply similarly to data processors rather than data controllers) and, in June 2012, established a BCR-P framework. In brief, BCR-P permit data processors, on the instruction of data controllers, to forward personal data to their group companies, otherwise known as “sub-processing”. The Working Party has officially permitted companies to apply for BCR-P since January 2013. To date, three international organisations have BCR-P approved by their national data protection authorities, with a further 10 currently under review.

In Defence of BCR-P

In its letter, the Working Party encloses an explanatory document setting out the main guarantees offered to data controllers, data subjects and data protection authorities generally, relating to:

  • Use of external sub-processors;
  • Conflict between an applicable legislation and BCR-P and/or Service agreements / Access by law enforcement authorities;
  • Controllers’ rights;
  • Data subjects’ rights;
  • Processors’ obligations towards data protection authorities; and
  • Implementation of accountability measures.

The Working Party also stresses the high level of protection that BCR-P offer to international transfers of personal data, which, according to the Working Party represent the “optimal solution” to encourage data protection principles abroad. In the alternative, the Working Party suggests that model clauses or Safe Harbour do not offer a comparable level of protection.

In response to calls for the European Parliament to drop BCR-P from future legislation due to a lack of guarantees to frame sub-processing activities, the Working Party clarifies that BCR-P offer greater levels of protection that those currently provided by the European Parliament. Furthermore, the Working Party concludes that to drop BCR-P would create legal uncertainty and represent a loss generally to those organisations with approved BCR-P or those currently [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021