Friday 14th December 2018

EU Parliament adopts GDPR-esque proposal that regulates data protection across EU institutions

The new Regulation will govern the data protection practices of EU institutions and lends from the General Data Protection Regulation, which came into force on 25th May 2018.
Jason Smith
by on 21st September 2018

The EU Parliament has adopted a proposal that attempts to bring EU institutions data sharing practices into alignment with the General Data Protection Regulation (GDPR).

Unlike private organizations, the EU’s data collection and processing activities aren’t governed by the GDPR but Regulation 45/2001.

The proposed Regulation is currently pending approval by the EU’s intergovernmental branch, the Council of the European Union, and will likely come into force later this year.

The proposal adopts provisions from the GDPR but it also differs in a few key areas, including the size of fines that can be issued against offending institutions.

Under Article 83 of the GDPR, data protection authorities like the UK’s Information Commissioner’s Office (ICO) can fine offending private organizations up to 20 million EUR or 4 percent of annual turnover.

However, the maximum fine that can be issued against an offending institution by the European Data Protection Supervisory Authority (EDPS) under Article 66 of the Regulation governing internal data practices is 500,000 EUR per year.

Moreover, the proposed Regulation also stipulates fines against EU institutions can only be issued as a “last resort”.

In an opinion published in 2017 (PDF), the EDPS stated:

“In addition, the EDPS notes that fines under Article 66 would be significantly lower than those provided for under Article 83(4) to (6) GDPR. He takes note of this approach given that, unlike the GDPR, the Proposal does not target operators pursuing in principle gainful activities.

“Moreover, fines of this order of magnitude, while having an undoubtedly deterrent effect, would not in any case risk jeopardising day-to-day functioning of the EU institution in question”.

In its opinion, the EDPS also stated:

“Apart from substantive alignment with the GDPR, it is essential that the revised rules become fully applicable at the same time as the GDPR i.e. on 25 May 2018”.

This target obviously wasn’t met.

The Regulation is one of many relating to governing internet activities, or the activities of internet platforms, initiated or approved by the supranational organization in recent years.

Aside from the GDPR, other initiated or adopted regulations or directives include the ePrivacy Regulation, the Copyright Directive and a recently proposed Regulation mandating “hosting service providers” remove extremist content within one hour.

While the EU Parliament recently adopted a proposal on the Copyright Directive and will enter into trilogue negotiations with the Council of the European Union, the ePrivacy regulation has experienced significant delays – the Council of the European Union recently published a revised proposal – and likely won’t come into force until 2020.

Commenting on the new regulation governing the internal data protection activities of EU institutions, Rapporteur Cornelia Ernst stated (translated):

“One can say that since 2011 we have been creating something like a highway code for the digital society. The General Data Protection Regulation and Directive are the basis for the most comprehensive and modern data protection legislation in the world in order to effectively protect the fundamental rights of citizens and their right to informational self-determination.

“… I can say with a clear conscience: we have really made sure that what applies to every EU citizen to data protection must of course also apply to the EU institutions…such as the Council, the European Parliament, the Commission…”

According to Recital 12, the new Regulation won’t initially apply to either EUROPOL or the European Public Prosecutor’s Office “until the legal acts establishing Europol and the European Public Prosecutor’s Office are amended with a view to rendering the Chapter of this Regulation on the processing of operational personal data, as adapted, applicable to them”.

Moreover, the new Regulation, as per Recital 15, won’t apply to “the processing of personal data by missions referred to in Articles 42(1), 43 and 44 TEU, which implement the common security and defence policy”.