Dec 42015

Negotiations on the General Data Protection Regulations Continue

Cameron F. Kerry, William RM Long, Geraldine Scali and Francesca Blythe
, , , , ,

As the legislative journey for the General Data Protection Regulation (“GDPR”) nears its conclusion, last week (Nov. 27,2015) saw the publication of a further compromise text which left the door open for additional “trilogue” discussions on the much-debated subjects of administrative fines, data protection officers (“DPOs”), and data breaches, as well as details of other provisions.

Agreement has not been reached on the level of administrative fines that supervisory authorities can impose under the GDPR, with discussion ranging from 2% to 5% of global annual turnover.  The Presidency has put forward the following proposal as the basis on which to proceed with negotiations: (i) for breaches relating to obligations for controllers, such as a failure to appoint a DPO, the higher of a maximum fine of €1,000,000 or 2% of a company’s total worldwide annual turnover (based on the preceding financial year); (ii) for breaches relating to the rights of data subjects, such as a failure to comply with a data subject’s valid request to stop processing its personal data, the higher of €2,000,000 or 4% of turnover; and (iii) for breaches relating to non-compliance with a supervisory direction, the higher of €1,000,000 or 2% of turnover.  The EU Parliament, on the other hand, maintains the position that supervisory authorities should be able to fine companies up to €1 000 000 or 5% of their annual global turnover, whichever is higher.

On the requirement to appoint a DPO, the Presidency has put forward proposals for limited situations where a DPO should be appointed, namely: where the processing is carried out by a public body or authority; where large-scale regular monitoring of data subjects takes place as a core activity of the controller or processor; or where sensitive personal data is being processed.  New additions to the current GDPR compromise text include a  clarification that a DPO may fulfil other duties, and the introduction of a transition period of 12 months from implementation of the Regulation for the appointment of a DPO.  It is unclear at this stage what the specific tasks of the DPO should entail.

The much-debated issue of the timescale for reporting of data breaches to supervisory authorities remains under discussion.  The latest compromise text is maintaining a proposal for a 72-hour reporting window.  The trigger for data breach reporting to the supervisory authority has also been amended from the breach presenting a “high risk for the rights and freedoms of individuals”, to one “result[ing] in a “risk”.

On the long debated subject of automated processing and profiling, the Trilogue has reached a tentative compromise based on the application of Article 20 processing “which produces legal effects” or “similarly significantly affects” a data subject and the addition of various provisions through the text that enable the use of pseudonymized data.  Language in Article 19 on whether notice of the right to object to profiling must be separate from other notification, as proposed by Parliamentary negotiators, remains to be resolved.

As to next steps, although it is accepted that tentative political agreements have been reached on some topics, trilogue discussions will continue with the aim of reaching a final agreement on the GDPR by the end of 2015.  The next trilogue sessions are expected to take place on 10 and 15 December 2015.

Cameron F. Kerry

ckerry@sidley.com

William RM Long

London

wlong@sidley.com

Geraldine Scali

gscali@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.