< Back

Share |

Follow Up: New Data Protection law for Europe – What can we expect?

On 8 October 2012, Taylor Wessing invited Mr. Axel Voss, Member of the European Parliament and EPP Rapporteur on the EU's General Data Protection Regulation, Dr. Alexander Dix, Head of Berlin's Data Protection regulating authority and Dr. Joachim Rieß, Group Data Protection Officer of Daimler AG, to discuss the most controversial aspects of the EC's Draft General Data Protection Regulation.

This is a summary of issues debated at Taylor Wessing’s meeting and a useful indication of which areas of the draft are likely to be amended:


1. Roadmap: Save the date for January 2013!
Currently the plan of the Rapporteur is to issue an initial report by mid-December 2012 with a consultation period of around one month.

2. Critical issues: Which parts of the draft Regulation are likely to be amended?
The speeches and panel discussion pinpointed the following topics as having received the widest criticism from an industry and regulatory point of view and it is these which are consequently most likely to be amended:

  • Applicability to public and private sector
    Whether stricter provisions are necessary for the public sector or whether private sector provisions are sufficient is still subject to discussion in the Council and might slow down the above mentioned roadmap.
  • Delegated Acts, Art. 86
    The number of Delegated Acts permitted under the draft Regulation allowing broad latitude for interpretation of the law by the Commission, has been almost universally criticised as being too extensive and the Commission has admitted that this is likely to change under the next draft.
  • Art. 4 - Definitions, Art. 4
    It was pointed out that some of the Definitions in Art. 4 need more detail and that this should be provided by the legislator not by the Commission via delegated acts. This is especially evident with regard to the issue of dynamic IP addresses which under the current drafting may or may not be considered "personal data".
  • Principle of limitation on purpose, Art. 5b
    The relationship between Art. 5b, which requires that data shall only be processed for purposes it was initially collected for and Art. 6 (1) (f), which permits processing for the purposes of legitimate interests of the controller, is currently unclear and requires clarification as to what happens if the processing purposes change.
  • Data transfer to third parties, Art. 6 (1) (f)
    From a German perspective, there is uncertainty with Art. 6 (1) (f) regarding the possibility of onward data transfers if legitimate interests are pursued by third parties. German law provides legal grounds for such cases.
  • Consent: "significant imbalance", Art. 7 (4)
    The lack of a clear definition of "significant imbalance" in Art. 7 (4), leaves room for interpretation. According to the Commission's understanding, processing of data for purposes that benefit an employee should not be subject to this rule. In general, there seems to be consensus at a European level that data protection in the employment context should be dealt with by each EU member state separately.
  • Right to be forgotten, Art. 17
    Discussions are ongoing as to whether this right ought to relate only to additional information provided voluntarily by the data subject.
  • Right to data portability, Art. 18
    There is widespread opposition to this new right and pressure for it to be deleted altogether.
  • Joint Controllers, Art. 24 and Processors, Art. 26
    The introduction of the concept of Joint Controllers in Art. 24 raises questions with regard to division of responsibilities and the blending of roles between processor and controller. The concept is being criticised as being impracticable and in contradiction of the one-stop-shop approach.
  • Data protection officer, Art. 35
    There is a great deal of uncertainty among EU member states about the onerous documentation requirements. Thus calls for an exemption from documentation obligations where a Data Protection Officer has been appointed (similar to the current practice in Germany) have been made. In addition, waiving the requirement for prior consultation with the regulator pursuant to Art. 34, is under discussion where the Data Protection Officer is conducting the 'prior checks' by himself.
  • Court proceedings and penalties/sanctions, Art. 76, 78
    The lack of clear definitions of relevant violations has received widespread criticism. A more sophisticated regime of penalties/sanctions is currently under discussion at a European level.phone
  • Personal data breach, Art. 31
    The 24-hour deadline is generally seen as too short and impracticable. In particular, preventing further or ongoing breach should take priority over the requirement to notify the regulator.
  • Art. 89 - Relationship to Directive 2002/58/EC
    The fact that electronic communications are not part of the draft Regulation causes uncertainty with regard to interpretation and consequences for existing national exemptions.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Sibylle Gierschmann

Sibylle Gierschmann highlights the main areas of discussion at a recent Taylor Wessing event on the European Regulation.

"The 24-hour deadline is generally seen as too short and impracticable. In particular, preventing further or ongoing breach should take priority over the requirement to notify the regulator."