An overview of the topics most likely debated during the Trilogue negotiations, including the stance of each EU body from their respective adopted drafts of the GDPR.
Many of the key points of the regulation are clear and documented similarly across the three drafts, but some details came with enough variability to warrant their own comparison between the Commission, Parliament and Council texts.
Data Portability
The right to data portability had its own article in the Commission and Council proposals, but was part of the right-to-access article in the Parliament text. All texts apply portability only to data provided by the data subject. The most important differences were the Parliament's caveat of requiring direct transfer only 'where technically feasible and available', and the Council's addition of the need for data to be machine-readable and the exclusion of data that would infringe intellectual property rights if disclosed.
One-Stop-Shop
As one of the key drivers behind a new regulation was the harmonization of data protection laws throughout Europe, the one-stop-shop principle seemed a sensible addition — but it is not as simple in practice. The Commission proposal was the simplest: a single lead supervisory authority of the main establishment competent for supervision across all member states. The Parliament, concerned about data subjects' ability to lodge complaints locally, still relied on a lead DPA but required the cooperation of all concerned DPAs. The Council's general approach gave each DPA competence to enforce in its own state — arguably the most 'watered-down' version.
The pervasive debate is the balancing act between reducing red tape by harmonizing data protection laws across Europe and ensuring the rights of data subjects through the availability of legal redress with the appropriate DPA.
Data Protection Officers
The Commission and Parliament agreed that a DPO is mandatory wherever processing is carried out by a public authority, or by a controller or processor whose core activities require regular and systematic monitoring of data subjects. They differed on the threshold: the Commission text required any enterprise over 250 employees, while the Parliament text called for those processing the personal data of over 5,000 data subjects in any 12-month period, and added a requirement for all enterprises processing 'special categories' of data. The Council did not mandate a DPO unless required by EU or member-state law.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Questions about data protection?
We advise on GDPR and data-privacy compliance for business.