As the legislative journey for the General Data Protection Regulation (“GDPR”) nears its conclusion, last week (Nov. 27,2015) saw the publication of a further compromise text which left the door open for additional “trilogue” discussions on the much-debated subjects of administrative fines, data protection officers (“DPOs”), and data breaches, as well as details of other provisions.
Agreement has not been reached on the level of administrative fines that supervisory authorities can impose under the GDPR, with discussion ranging from 2% to 5% of global annual turnover. The Presidency has put forward the following proposal as the basis on which to proceed with negotiations: (i) for breaches relating to obligations for controllers, such as a failure to appoint a DPO, the higher of a maximum fine of €1,000,000 or 2% of a company’s total worldwide annual turnover (based on the preceding financial year); (ii) for breaches relating to the rights of data subjects, such as a failure to comply with a data subject’s valid request to stop processing its personal data, the higher of €2,000,000 or 4% of turnover; and (iii) for breaches relating to non-compliance with a supervisory direction, the higher of €1,000,000 or 2% of turnover. The EU Parliament, on the other hand, maintains the position that supervisory authorities should be able to fine companies up to €1 000 000 or 5% of their annual global turnover, whichever is higher.
On the requirement to appoint a DPO, the Presidency has put forward proposals for limited situations where a DPO should be appointed, namely: where the processing is carried out by a public body or authority; where large-scale regular monitoring of data subjects takes place as a core activity of the controller or processor; or where sensitive personal data is being processed. New additions to the current GDPR compromise text include a clarification that a DPO may fulfil other duties, and the introduction of a transition period of 12 months from implementation of the Regulation for the appointment of a DPO. It is unclear at this stage what the specific tasks of the DPO should entail.
The much-debated issue of the timescale for reporting of data breaches to supervisory authorities remains under discussion. The latest compromise text is maintaining a proposal for a 72-hour reporting window. The trigger for data breach reporting to the supervisory authority has also been amended from the breach presenting a “high risk for the rights and freedoms of individuals”, to one “result[ing] in a “risk”.
On the long debated subject of automated processing and profiling, the Trilogue has reached a tentative compromise based on the application of Article 20 processing “which produces legal effects” or “similarly significantly affects” a data subject and the addition of various provisions through the text that enable the use of pseudonymized data. Language in Article 19 on whether notice of the right to object to profiling must be separate from other notification, as proposed by Parliamentary negotiators, remains to be resolved.
As to next steps, although it is accepted that tentative political agreements have been reached on some topics, trilogue discussions will continue with the aim of reaching a final agreement on the GDPR by the end of 2015. The next trilogue sessions are expected to take place on 10 and 15 December 2015.