Privacy & Information Security Law Blog

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

Transfers of Data to non-EEA Jurisdictions

The Council agreed that the Proposed Regulation should contain three possible avenues to legitimize transfers and ensure they are secure. These scenarios include:

• when the European Commission has found that a third country provides “adequate” protection for the rights of individuals with respect to the processing of personal data;
• when appropriate safeguards to protect transferred data are in place (such as Binding Corporate Rules); and
• in clearly defined situations which necessitate the transfer of data (such as in connection with a competition or tax investigation).

The Territorial Scope of the Proposed Regulation

The Council confirmed that EU data protection law will apply to organizations that are not established within the EU, but that do business in the EU and target products or services at European citizens.

Viviane Reding also announced that the Council remains committed to the one-stop shop principle (by which organizations that provide cross-border services involving data processing would be regulated by a single data protection authority). Specifically, the meeting saw closer alignment on the principle that there should be a “lead authority” that works closely with other concerned authorities (notably, the local data protection authority with which the complaint is lodged).

Once the Council has reached agreement on the text of the Proposed Regulation, a trilogue between the Parliament, the Council and the European Commission will be established to agree on the final text. Following the trilogue, the Proposed Regulation will be put to a vote of the Parliament and, if adopted, there will be a final implementation period before the Proposed Regulation comes into force in the EU Member States. Viviane Reding reiterated that data protection reform remains on track to ensure “the completion of the Digital Single Market by 2015.”