Many of the key points of the regulation are clear and documented similarly across the three current drafts, but many details still needed to be hammered out and some points come with enough variability to warrant their own comparison between drafts. Below is an analysis of the topics which are likely to have been the subject of much debate during the Trilogue negotiation process.
The right to data portability has its own article (18) in the commission and council proposal documents, but is part of the right to access article (15) in the parliament text. The relevant quotes from each draft are as follows:
Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject.
The right [to data portability] shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format.
It is important to note that all texts only apply portability to data provided by the data subject, and the Commission and Council texts only apply to data which is processed based on consent or contract, leaving out personal data processed by other lawful means. The most important differences come in the Parliament’s caveat of only requiring direct transfer “where technically feasible and available” as well as the Council’s addition of the need for data to be machine readable and also excluding data that would infringe intellectual property rights if disclosed. The predominant concerns arising from the supporters of data portability see the Parliament’s text as a potential drag on overall effectiveness if corporations are simply unwilling to improve their technology in order to comply. On the other hand, critics of the idea worry that forcing data portability with such a broad scope will lead to disproportionate cost and effort in industries with no consumer “lock-in.”
As one of the key drivers behind creating a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop principle seems like a sensible addition. However, the principle is not as simple in practice as it can appear on paper, and the original Commission proposal has been modified heavily by its subsequent GDPR adoptions.
The proposal from the Commission in article 15 is by far the simplest and most general approach: “Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States.”
The Parliament took issue over the potential infringement of data subject rights when they are not able to easily lodge a complaint with a competent lead DPA if, for instance, contact is made difficult by language or financial means. In article 54a of its adopted text, the Parliament still relies on a lead DPA for the doling out of legal remedies, but it requires the cooperation of all concerned DPAs. The amount of concerned DPAs will also be greatly increased as a provision is also added for data subjects to lodge complaints with their local DPA in order for it then to work with the lead DPA on behalf of the data subject. Finally, the role of the Data Protection Board is increased in its ability to decide in the situation of an unclear lead DPA and its ultimate ruling in the event of the invoking of the consistency mechanism.
The Council has arguably the most “watered-down” version of a one-stop-shop in its adopted general approach. It provides each DPA with the competence to enforce the GDPR in its own state, and requires the lead DPA to consult with and share all information with every concerned DPA. It also allows any concerned DPA to refer a case to the Data Protection Board should it feel that the lead DPA has not taken its opinion into account. Overall, this increases the amount of red tape involved to a point beyond the initial intention of the one-stop-shop principle and allows for the potential of ‘capricious referrals’ that undermine the authority of the lead DPA and potentially put a strain on the Data Protection Board, which is set up under the GDPR but not allocated any specific funding or infrastructure.
The pervasive debate throughout the one-stop-shop principle is the balancing act between reducing red tape by harmonizing data protection laws across Europe and ensuring the rights of data subjects are secured by their availability of legal redress with the appropriate DPA.
Data Protection Officers
The designation of a Data Protection Officer (DPO), covered in article 35, has somewhat similar views coming from both the Commission and Parliament. They agree that a DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects. They also agree that companies passing certain thresholds should be mandated to appoint a DPO, yet they differ on the exact metric. Finally, Parliament adds that a DPO should be mandatory for all enterprises that process 'Special categories' of data, including information such as health data or religious and political beliefs. The Commission text requires any enterprise over 250 employees, while the Parliament text calls for those processing the personal data of over 5000 data subjects in any 12 month period. The Council does not mandate the appointment of a DPO unless it is required by EU or member state law. Its members themselves had varying views during the debate prior to the release of the general approach, so it will be interesting to see how vigorously the Council fights for this relaxation of DPO appointments against both other authorities who seem to hold similar positions.