Brussels, 05/06/2014 (Agence Europe) - As if wishing to celebrate the anniversary in their own way, the justice ministers of the EU, meeting in Luxembourg on Friday 6 June, approved part of a general regulation on the protection of personal data, virtually one year on from the day on which the Snowden affair broke, bringing with it multiple revelations on spying carried out by the United States on European citizens and leaders.
In Luxembourg on Friday, the ministers specifically agreed on the territorial scope of this regulation, which was presented in January 2012 by Commissioner Viviane Reding, and confirmed that the future European rules will, indeed, apply to all foreign companies carrying out activities on the territory of the EU or providing services for European consumers. A principal which “I thought was quite obvious, but which apparently wasn't”, Reding said at a press conference, as this Commission proposal has come in for a certain amount of criticism in the past.
Another small step forward concerns the conditions under which personal data can be transferred to third countries and international organisations. Under the compromise adopted by the ministers, this transfer of data can take place when the “Commission has confirmed that this third country or organisation ensures adequate protection levels”, a Council note explains, with criteria such as the primacy of law, respect for human rights and fundamental freedoms, data protection rules and security measures, including rules on the subsequent transfer of personal data to other third countries.
The second scenario approved by the ministers concerns a group of companies or businesses carrying out a joint economic activity, which should be authorised to rely on “binding corporate rules” for its international transfers from the EU to entities of the same group, on condition that these rules “include essential principles and enforceable rights providing appropriate guarantees”.
The agreement also lays down the conditions under which transfers can be authorised on a one-off basis in cases in which an individual gives his or her consent (for lawsuits, for example, or contract) or specific reasons which are “duly justified” on grounds of general interest, such as tax investigations, Reding explained.
She believes that this agreement, which is currently just a partial agreement and is still at the mercy of decisions to the contrary from the Council until the entire regulation has been agreed, nonetheless sends out a “clear message” to the players concerned. This partial general approach also had the support of almost all member states, with the notable exception of the United Kingdom.
But it is not yet a victory for Reding, who, newly elected to the EP, may also be leaving the Commission soon. Because although the principle of “institutional continuity remains”, she said, the member states have by no means found a solution on another highly controversial aspect of the regulation: the “single point of contact”. A debate on Friday morning showed that many member states remain divided.
In major cases concerning more than one member state, a single point of contact would make it possible to establish a single point of contact to take a single decision (a fine, for example) for all of the countries concerned. The single point of contact would be provided by the authorities of the country in which the company has its headquarters. However, the legal services of the Council feel that this solution is too weak, flagging up problems of “proximity” for citizens seeking reparation. As they did in December, the Council's legal services on 6 June reiterated their poor opinion of this architecture, even describing it as a “step backwards” for the rights of the citizens.
One of the solutions raised that day would be that for major disputes, this ultimate decision would be transferred to a “super” data protection committee, created on the basis of the current Article 29 group, which is made up of all the national regulators. And it will be up to the Italian Presidency to settle this issue. Nonetheless, Reding was confident on Friday that the reform “of data protection will be concluded by the end of the year”.
But between now and then, the commissioner has other challenges to face, notably with the United States and their commitment to negotiate, by this summer, a framework agreement on data protection and to amend the Safe Harbour agreement. Although Washington has shown willing on “95% of our requests, there are still 5% to fulfil and these are causing problems”, said Reding. The United States has still not given satisfaction as to options for Europeans to bring cases before American courts and obtain reparation in the event of abuse of their data. And “we cannot countenance an agreement without this aspect”, she said. On Safe Harbour, 12 recommendations out of 13 have so far been fulfilled, but the 13th remains to be clarified, “which comprises the exceptions for national security imperatives”. On 25 June, Reding may discuss this issue with her opposite number Eric Holder, at an informal meeting in Athens. (SP)