It seems that negotiators are still looking to reach a final draft of the EU’s General Data Protection Regulation by Christmas, although exactly what that final draft will say remains a matter of some speculation. However, rumour has it that it will reflect a compromise reached between those wanting a more ‘consumer-friendly’ regulation and those seeking a more ‘commerce-friendly’ one.
Statewatch.org has released two documents from the Luxembourg presidency, the first is a 186-page consolidated draft of the entire document in “preparation for trilogue,” and the second is a summary of proposed compromise positions that the Luxembourg presidency would like for the full Council to consider.
The three most contentious compromise positions appear to be (1) data breach notification requirements, (2) the question of imposing mandatory data protection officers (DPOs) and (3) the amount of fines for violations.
Data breach notification
The EU Commission’s initial text indicated a deadline of 24 hours following the discovery of a breach to begin notification to a data protection authority. Parliament offered a compromise to 72 hours and has introduced the idea of perceived risk to affected individuals affecting the need for notification. The Presidency suggested that 72 hours is sufficient time and that those suffering a breach should notify within that time frame “unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.”
The current draft would allow later notification, as long as “reasoned justification” is supplied to the relevant data protection authority (DPA). Organisations would also be required to document all breaches, regardless of risk, and be able to supply that documentation to DPAs upon request, to prove compliance with the GDPR.
Mandatory Data Protection Officer (DPO)
Parliament wants this to be compulsory for organisations with 5,000 data subjects. The Commission wants this to be compulsory for organisations with 250 employees. The Council has suggested that a DPO merely be ‘encouraged’.
The Presidency appears to have suggested a compromise whereby the DPO would be mandatory when on three conditions:
- The processing is carried out by a public body
- The core activities of the controller or processor involve “regular and systematic monitoring of the data subjects on a large scale”
- The controller or processor is handling a “large scale” of data of a special category, defined as data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric uniquely identifying a person or data concerning health or sex life and sexual orientation.”
NB: The definition of “large scale” is not supplied.
Further, the Presidency has suggested that the appointment of that mandatory DPO have a 12-month grace period from the GDPR’s coming into force, (which is currently two years from the 20th day following the GDPR’s publication in the Official Journal of the European Union). This means that organisations would have about 3 years to sort out their DPO requirements and get someone in place.
There remains the possibility that organisations could ‘share’ DPOs with other organisations and the DPO can have other duties inside an organisation.
Much has been written about the Parliament draft that suggested maximum fines of 100,000,000 EUR or 5% of annual global turnover and the Council’s more modest fines of 2% of annual global turnover.
The Presidency has suggested a compromise that would result in different maximum fines for different transgressions:
- Violating the obligations of controllers would carry a maximum penalty of 1,000,000 EUR or 2% of turnover
- Violating the rights of data subjects directly would carry a maximum penalty of 2,000,000 EUR or 4% of turnover, and
- Violating an order of a DPA would carry a maximum penalty of 1,000,000 EUR or 2 %of turnover.
Already, the European Data Coalition (EDC) has responded to this last compromise suggestion, suggesting it is “excessive and enormously unfair.” The EDC is concerned that the penalties discriminate against businesses with high turnover and low margin and do not take into account “the share of global revenue that is relevant for the geographical applicability of the region.”
Will the GDPR really be resolved by Christmas? Only Santa knows!