The below provides an EU update from a Regulatory Strategies’ partner, Newgate Public Relations, in Brussels, and provides an insight into the progress of the EU’s draft data protection regulation:
The negotiations on the EU General Data Protection Regulation (GDPR) are ongoing but less smoothly than had been anticipated before the summer break. EU legislators are experiencing difficulties in finding viable compromises for both the Council and the European Parliament as complex issues such as proposals relating to the rights of the data subject (Chapter III) as well as the principles for protecting the personal data (Chapter II) are addressed for the first time.
At the same time, there have been some wider evolutions which impact upon the European data protection framework over the course of September.
On 8 September, the European Commission and the US government finalised the so-called ‘Umbrella Agreement’ which sets up a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The Agreement covers all personal data exchanged between the sides of the Atlantic for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
‘Robust cooperation between the EU and the US to fight crime and terrorism is crucial to keep Europeans safe. But all exchanges of personal data, such as criminal records, names or addresses, need to be governed by strong data protection rules. This is what the Umbrella Agreement will ensure’ said EU Commissioner Věra Jourová.
The aim of the Agreement is to provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust.
However, enthusiasm over the finalisation of an such important agreement was quickly diminished on 23 September by an Advocate General of the European Court of Justice (ECJ) who questioned in an ongoing court case the validity of the Safe Harbour regime that has governed the exchange of personal data between the two sides of the Atlantic since 2000.
The regime is based on a contract between the EU and the US, in which the EU states that US companies appearing on the US government’s Safe Harbour list shall be treated as if they were European companies with regard to data protection. Such a contract is based on a decision of the European Commission recognising the US as a ‘safe country’ for European data.
Should the Advocate General’s opinion be shared by the ECJ, the US would no longer be automatically regarded as a ‘safe country’ to which European data may be sent freely. As a consequence, national authorities would be entitled to investigate the facts of each individual case, to see if a US company observes the required minimum level of data protection.
Technology groups and trade associations reacted with dismay to the news: ‘We are concerned about the potential disruption to international data flows if the court follows today’s opinion’, said John Higgins of DigitalEurope.
In terms of next steps, negotiations on the GDPR are expected to last until December 2015. While we are getting closer to the finishing line, businesses still have some room for manoeuvre to pursue lobbying activities to achieve an outcome in line with their interests.
To download the entire newsletter click on this link: SEP15-newsletter
Courtesy: Mike Bradford, Regulatory Strategies