Reding, member states set for political battle over power to shape data protection reform

20 March 2017 1:24pm

By Magnus Franklin. First published on MLex 15 December 2011.

Brussels – Viviane Reding, the European commissioner in charge of redrafting EU data protection regulation, is set to engage member states in an intense political battle over their power to shape a lengthy reform due to be proposed in late January.

The reform as drafted is very detailed and makes extensive use of ‘secondary legislation’ to implement its proposed provisions.

Critics fear this lays the ground for the commission to have more power than in the past to fill in the legislative gaps.

Moreover, interested parties are questioning whether the planned new rules can deliver on promises already spanning 100 pages — less red tape; improved awareness among citizens of their rights; greater regulatory certainty and harmonisation — when much of the proposals are based on incomplete legal reforms within the EU institutions. 

Post-Lisbon uncertainty

Power-sharing in between the European Council, Parliament and Commission is in flux as the institutions struggle to interpret and implement legal reforms mandated by the 2009 Lisbon Treaty. One issue still under debate is what part of policy-making motions should be considered primary legislation and subject to traditional co-decision procedures — and what motions should be considered secondary legislation. The Lisbon Treaty forsees a method for categorising motions, but that method is also still under debate.

At the level of secondary legislation, another issue is what motions should be considered ‘delegated acts’ – where council and parliament can veto commission plans but aren’t involved in negotiations – and which should be seen as ‘implementing acts’ — in which the commission faces no threat of a veto and consults the council but not the parliament. The Lisbon Treaty forsees a categorisation method here too, but it too is still under discussion.

Data protection plan

The data protection proposal, leaked widely after being circulated among several departments of the commission, is unusual in that rather than spelling out the principles in primary law — to be agreed in traditional inter-institutional co-decision procedures before moving on to detailed or secondary legislation — it makes extensive proposals for secondary legislation and the power-sharing in that legislation.

Specifically, the draft contains 27 clauses qualified as delegated acts — with the reasoning that they specify the technical implementation of principles set out in the law. More controversially, and raising suspicion of a planned power-grab by Reding, the document sets out a long list of elements as implementing acts, only member states would be able to block at the ‘expert consultation’ stage if the draft is adopted as proposed.

The numerous references to such legislative instruments on detailed clauses of the reform has raised fears that co-legislators, by approving the overall reform plan, will be locked into a weak position when it comes to hammering out details.

For the stakeholders affected by the regulation, moreover, the use of a poorly-understood and opaque regulatory process will increase the risk that adverse measures will be introduced by the commission. And in a field as broad as this one – the establishment of a harmonised application of the fundamental right to privacy and data protection – the scope for ‘regulatory creep’, an increase in the areas covered by the regulation – is also possible.

Draft details

According to the draft, the commission will have the power to draft delegated acts in the areas of “lawfulness of processing, change of purpose of processing, processing of special categories of data, procedures and mechanisms for exercising the rights of the data subject, information to the data subject, the right of access, the right to be forgotten and to erasure, measures based on profiling, responsibility of the controller, data protection by design and by default, representatives of controllers not established in the Union, a processor, documentation, security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, prior authorisation and prior consultation, designation and tasks of the data protection officer, codes of conduct, certification, transfers by way of binding corporate rules, transfer derogations, administrative sanctions, processing for health purposes, processing in the employment context and processing for historical, statistical and scientific research purposes.”

The commission will be empowered to adopt implementing acts in another lengthy list of areas, including “the modalities for exercising the rights of data subjects, information to the data subject, the right of access, the right to data portability, responsibility of the controller, data protection by design and by default, documentation, security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, prior authorisation and prior consultation, certification, the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation, transfers by way of binding corporate rules, disclosures not authorised by Union law, mutual assistance, joint operations [and] decisions under the consistency mechanism.”

Implementing or delegated? 

The Lisbon Treaty reforms aim to improve existing ‘comitology’ procedures by dividing secondary legislation into ‘delegated’ and ‘implementing’ acts.

Implementing and delegated acts, in a broad sense, are designed to make the adoption of specific legislation more efficient, rather than going through the full ‘co-decision’ legislative process that normally takes between 18 months and four years. This is particularly the case where aspects of legislation are purely technical and do not require the political examination that a full review would entail.

In theory, delegated acts can only be broad, universal secondary legislation, while implementing acts are non-legislative and are directed at a particular stakeholder or group of stakeholders. Drawing a line in the sand between those two is not always a precise science.

Implementing acts cut out the parliament, which means any such proposals tend to be resisted by MEPs. But they rely – at least in theory – to a greater extent on consultation via technical committees, meaning that potentially inappropriate measures can be corrected by national experts at an earlier stage.

A common example used is in the case of banned airlines. A delegated act would set out the technical criteria for how airlines should be selected for banning. An implementing act would be a decision to include or remove an airline from the list itself.

In the case of the draft data protection regulation – which will be scrutinised and most likely amended in the run-up to Christmas by the other policy units in the commission – there are 27 proposals for delegated acts.

At the highest level, one question will be whether secondary legislation is necessary at all at this stage, and whether it is not better to include many of the proposed elements in primary legislation. Meanwhile, those familiar with comitology point out that given the recent change in the regulation governing delegated and implementing acts, there is no case law to guide legislators when setting the various distinctions.

Politically sensitive

Experts in comitology reform have started preparing for an inevitable political battle over whether efficiency gains — from boosting commission powers through the delegation of key legislation on a relatively obscure procedure — are balanced with procedural drawbacks.

Legal issues aside, there are significant political overtones to the use of comitology procedures that go beyond the specifics of data protection – not least the natural scepticism among member states and the parliament to grant the commission greater powers.

The political considerations will likely be more prominently on display where legislators feel there is scope to turn a delegated act into an implementing act, and vice-versa. Further, political disputes are likely to arise over the scope of the delegated acts, which has to be set out in the primary legislation.

The foreseen use of comitology procedures in this field, where comitology has never been used as a legislative tool, will mean a steep learning curve for privacy experts and stakeholders, many of whom have not been exposed to this policymaking procedure before.