EU General DP Regulation: Changes Afoot For SMEs

Viviane Reding, EU Justice Commissioner went on the record last week to say she was listening to some of the feedback about the EU's General Data Protection Regulation. We digest her comments.

The aim of the new Regulation is to set the standard internationally for data protection.

According to Ms Reding, the EU has a particular focus on forcing up internet governance.

They want to "generate trust between citizens and private enterprises" and thus foster sustainable growth.

Interestingly, Ms Reding recognises the dangers of "placing excessive burden on business" in the course of seeking to improve standards. This has been one of the main criticisms of the new Regulation in the UK. She says she is willing to move in certain areas as a result of these concerns.

A softening of the rules for SME's?

In Ms Reding's words the EU's aim is to create one set of rules for all throughout the EU, but in doing so "it has never been the Commission's intention to apply the same rules to the small hairdresser as to a multinational".

With this in mind she is prepared to look at whether the existing (and in our view limited) exemptions for SMEs can be broadened, but at this stage has not put forward anything concrete.

Her message for big business was stark though, saying "Lets be frank: we should not fall into the trap of some lobbyists expressing concerns for SMEs but in fact referred to provisions relevant for large multinational firms"; the inference being the EU will not budge on the obligations it has set out for big business.

So the right to be forgotten, right to object to profiling, obligation to document processes, vastly increased fines regime, and obligation to notify breaches look like they are here to stay for many organisations.

A separate regime for the public sector?

Ms Reding has shut the door on any ideas in this area. She is willing to look at introducing more flexibility for the public sector above the 20 or so cases already identified, and allow Member States some discretion in this area, but the general message is clear - there will be predominantly one rulebook for all going forward.

Fewer powers for the EU Commission?

The new Regulation gave the EU Commission wide retained powers to issue supplemental laws and regulations. These powers were always going to go down like a lead balloon with some Member States.

Ms Reding has said she will look at each of these powers in turn with the Member States and limit them to what is truely necessary.

There are huge areas of the Regulation which on first reading are not very clear. For example, people are given a right to object to profiling that "significantly affects" them, but there is no clear definition of this concept. Furthermore, there is only limited reference in the Regulation to binding legal guidance being provided by national Regulators. This position seems to leave a big gap in understanding which needs to be plugged. Any means of doing would be welcome.

The catch is, the retained powers are not necessarily in the right areas (e.g. there is no retained power to define "significantly affects").

In addition, noone would want the EU Commission to use its retained powers in a way which is tantamount to primary legislation, and at present this may be a risk. The Regulation gives the Commission wide powers to define in what circumstances the "legitimate interests" condition under Principle 1 can be used. This condition is given a broad interpretation by the UK Information Commissioners Office at the moment and is heavily used by business in the UK; if the EU were to take a contrary view, this would be very disruptive.

There is a similarly concerning right for the  Commission to add additional details and restrictions around the use of sensitive personal data (which is arguably already very tight). Other examples bound.

Overall, more scrutiny of the Regulation in this area seems appropriate.

No shift in timescales?

Ms Reding remains "confident that we will be able to take a political decision on these three issues in December in order to stick to the ambitious tametable set by our colleague Alan Shatter, the Irish Justice Minister who aims to reach a political agreement on the reform package by the end of the Irish Presidency". The Irish Presidency wraps up in June 2013.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.