Privacy & Information Security Law Blog

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

According to the Note, several EU Member States have “voiced their disagreement with the level of prescriptiveness” of the Proposed Regulation, and stated that the risk inherent in certain data processing operations should be a main criterion for calibrating the data protection obligations in the Proposed Regulation. Where the data protection risk is higher, the more detailed obligations under the Proposed Regulation would be justified; where it is comparably lower, the level of prescriptiveness should be reduced.

Based on this approach, the Irish Presidency suggested amendments to Chapter IV of the Proposed Regulation which sets out the responsibilities of data controllers and data processors. The proposed amendments are not publicly available, but the Note refers to “risk-based redrafting” of many provisions, including:

• Article 23 (data protection by design and default);
• Article 28 (documentation);
• Article 31 (breach notification);
• Article 33 (data protection impact assessments);
• Article 34 (prior authorization and prior consultation); and
• Article 35 (appointment of a data protection officer).

The Irish Presidency also indicated that differences in approach still remain with respect to certain Articles.

• The Note confirms that there is broad agreement on the need to conduct data protection impact assessments before beginning personal data processing activities that present ‘specific risks’ to individuals’ rights. That said, some EU Member States question whether it should be mandatory to consult with the supervisory authority for high-risk processing as this would mean processing could not commence during the consultation period.
• The Note states that although some EU Member States accept the appointment of a Data Protection Officer (“DPO”) where the data controller is engaged in “risky processing,” they consider the appointment “should be optional rather than mandatory.” In addition, it has been suggested that some benefit should apply “in terms of lighter obligations” in cases where a DPO is appointed.

Further, the Note indicates that discussions of Chapter IV on the Proposed Regulation (controller and processor) demonstrate that it needs to be “further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller.” The Presidency added that such refinement should take into account the “needs of micro, small and medium-sized enterprises (“SMEs”)” and advocated exploring “whether [and how] the use of pseudonymous data can contribute to the calibrating of controllers’ and processors’ data protection obligations whilst maintaining protection levels.” Finally, the Irish Presidency’s Note invites the Council to instruct the Working Party on the Information Exchange and Data Protection (“DAPIX”) and the Committee of Permanent Representatives (“COREPOR”) to further develop both these points.