EU states' justice ministers seemed to be competing to sound the most disappointed as they grudgingly agreed to move forward on a new data protection law.
Although a compromise general approach was reached, most countries found fault with the text of the proposed General Data Protection Regulation – quite a feat considering the Council of Justice and Home Affairs Ministers has spent years dismantling and re-writing it.
Article 6(4) is one of the big sticking points. This article allows companies to change how and what they do with citizens' data if they can show “legitimate interest”. Some countries, however, are concerned that “legitimate interest” is too vague and would leave the door open for companies to abuse personal information.
Germany seemed most optimistic about the text and encouraged other countries to compromise in order to move forward to negotiations with the European Parliament and the European Commission. Cyprus, Italy, Belgium and Poland all expressed concerns, but capitulated.
The Maltese minister summed up the position: “The balance is a fragile one, but this is the best compromise we could have.”
The discord at the council could make the next stage of so-called “trilogue” discussions more interesting. Both the European Parliament and the Commission have their own preferred versions of the law and the council compromise could be hard-fought. Some ministers said on Monday they were hoping for improvements to the text in trilogue, potentially weakening the council position.
Austria, for example, said it wouldn't support the Council text if it lowered data protection standards below those of the existing law. The Czech Republic, on the other hand, is worried that the law could be too strict and wants more flexibility for the private sector.
Despite this schism, EU Justice Commissioner Věra Jourová said she was “convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year”.
The proposed regulation has been one of the most heavily lobbied pieces of regulation in EU history and more pressure is likely to be put on the three institutions as they limp towards the finish line.
“Three years into the negotiations, we are glad to see progress in the much needed privacy reform effort,” said Raegan MacDonald, European policy manager of digital civil liberties group Access. “But while we welcome this step forward, we cannot ignore that the Council’s text has carved out so many loopholes it’s not even consistent with the EU Charter of Fundamental Rights. In order for the Regulation to have any value for citizens, we’ll need more ambition and less political discord in the trialogue negotiations.”
DigitalEurope, which says it “represents the digital technology industry in Europe” and counts Apple, BlackBerry and Google as corporate members, was also lukewarm in its response.
“Questions still remain on numerous topics including the implementation of a functioning one-stop-shop, the clear allocation of roles and responsibilities between data controllers and data processors, the introduction of a true ‘risk-based approach’, and a balanced view on profiling. As we move closer to the trilogue discussion the regulation could go either way,” said the group’s director general John Higgins.
The first trilogue meeting will take place on 24 June. German MEP Jan Philipp Albrecht, of the Green Party, will lead the EU Parliament's negotiations.
He said: “The challenge is now to reconcile the two sides, to ensure that the reform provides reliable and high common standards of data protection, and reach an agreement on this before the end of the year.”
“There are clearly differences, notably on consumer rights and the duties of businesses. However, if we can negotiate constructively and pragmatically, it should be possible to deliver a compromise acceptable to both sides within the timeframe,” Albrecht added. ®