EU Ministers Make Progress on Privacy Regulation, Set June Deadline for Agreement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

March 13 — Justice ministers from the European Union's 28 member states March 13 agreed in principle to text that would allow a new European Data Protection Board (EDPB) to issue binding decisions in cross-border privacy cases, as part of a new supervisory architecture under the EU's proposed data protection regulation.

Ministers also provisionally signed off on Chapter 2 of the draft data protection regulation, which sets out the principles underpinning personal data processing, including those relating to consent. The chapter also distinguishes categories of sensitive data, such as health data and data on political opinions, to which enhanced safeguards would apply.

Prompted by a proposal from German Interior Minister Thomas de Maizière, ministers also said they would seek to finalize a common position on the draft data protection regulation in June, even if that means open-ended negotiations at the next scheduled meeting of justice ministers June 15–16 until a deal is reached.

A common position among justice ministers would trigger negotiations with the European Parliament to finalize the data protection regulation. The Parliament adopted its position in March 2014.

EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová said at a March 13 press conference following the meeting that agreement between the ministers in June “will make it possible to conclude the data protection reform in 2015.”

One-Stop Shop

Although they agreed in principle on the supervisory system and data protection principles, ministers left several details still to be resolved.

Under what has become known as the “one-stop-shop” proposal, data processors would be supervised by the data protection authority in the country of their “main establishment,” but a data subject would be able to submit a privacy complaint in his or her home country, which might not be the same as the country of the main establishment of the data processor.

In such cases, according to the text upon which the ministers provisionally agreed, the DPA in the country where the data processor had its main establishment would act as the lead authority in resolving the complaint and would be obliged to liaise with and take “utmost account” of the DPA in the data subject's country.

In cases of disagreement between the DPAs, complaints would be referred to the EDPB for a binding ruling. A data subject who disputed an EDPB decision would be able to apply to the court in her or his home country for relief.

Ministers from some countries, including Ireland, Poland and the U.K., said that the one-stop-shop system might prove complex and could result in delayed decisions because of the different levels of referral. In addition, ministers said that a threshold should be introduced to prevent inappropriate or trivial cases from being referred to the EDPB.

To address problems that might arise with the system, ministers said that a revision clause should be included in the data protection regulation allowing review of the functioning of the supervisory system and implementation of changes if necessary.

Data Repurposing

On Chapter 2 of the draft regulation, while broadly endorsing the most recent draft text prepared ahead of their meeting, ministers from several countries questioned a provision that would allow data controllers to process data for reasons other than those for which the data were collected, if the controller's “legitimate interests” overrode the data subject's interests.

Marek Prawda, Poland's permanent representative to the EU, said this “contradicts the purpose limitation principle” and that Poland's approval of the text of Chapter 2 of the draft regulation was “conditional” on further discussion of the details.

Luxembourg Justice Minister Félix Braz said that in such cases of further processing of data for purposes other than the original purpose, data subjects should be able to object, and the issue would require “a lot of further discussion.”

Agreement in Sight?

The European Commission, the EU's executive arm, proposed the data protection regulation in January 2012 to replace the 1995 Data Protection Directive (95/46/EC).

Slow progress in talks between EU member states about the reform has been the main factor holding up progress on the regulation.

With the push to conclude discussions in June, however, ministers indicated that a deal on a common position might finally be in sight.

Dzintars Rasnačs, justice minister of Latvia, which currently presides over the Council of the EU in which member state ministers meet, said that although “not everyone is completely satisfied,” Latvia aimed to conclude an agreement between EU countries on the data protection reform during its council presidency, which concludes June 30.

The draft data protection regulation “is being turned from a rough diamond to a cut diamond; it is being polished progressively,” Rasnacs said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Katie W. Johnson at

The draft text of Chapter 2 of the proposed data protection regulation, discussed by ministers March 13, is available at

The draft text of the provisions of the proposed regulation on the one-stop-shop supervisory system is available at