Council of the EU discusses General Data Protection Regulation

The Justice and Home Affairs Council met on Friday 8 March to debate the latest Council discussion paper, which asked member states for their positions and concerns regarding two main elements of the GDPR - the use of a risk-based approach and the need to provide flexibility for the public sector.


The meeting was chaired by Mr Alan Shatter, Irish Minister for Justice, Equality and Defence and opened with a presentation by Commissioner for Justice, Fundamental Rights and Citizenship, Viviane Reding. The Commissioner pledged her commitment to finding concrete solutions to identified problems within the Regulation. The Commission is keen to have the instrument remain a Regulation, as opposed to a Directive, which has been called for by some parties in the debate. The exemptions for SMEs presented in the European Parliament’s Industry Committee (ITRE) report are likely to be incorporated, Ms Reding said, and the Commission is also keen to examine the inclusion of pseudonymous data. In this context, the Commissioner made specific reference to health, noting that pseudonymous data is still personal data, and is often of a sensitive nature.

The Chair then moved to take contributions from each of the member states, asking them to refer to the questions posed in the discussion document. These invited members to:

  • discuss whether controllers should have an obligation to engage in prior consultation with the supervisory authority where their risk assessment indicates that envisaged processing operations are likely to present a high degree of specific risk
  • discuss whether the designation of a data protection officer should be optional rather than mandatory and whether the controller’s obligations can be alleviated in cases where a data protection officer is then designated on a voluntary basis
  • discuss whether the application of approved codes of conduct and the use of approved data protection certification mechanisms should be incentivised by establishing linkages with the risk assessment process
  • instruct the COREPER and DAPIX Working Groups to continue work on the risk-based approach
  • instruct the COREPER and DAPIX Working Groups to continue work on flexibility for the public sector along the lines suggested in paragraph 12 above, by clarifying the details that can be regulated under the law that provides the national legal basis for the data processing.

Broad support was secured for the use of codes of conduct in combination with risk assessments and the inclusion of a provision, making the appointment of a Data Protection Officer (DPO) voluntary, rather than mandatory. However, divisions remain over the issue of prior-consultation where data processing is deemed high-risk, with countries such as the UK and France supporting such provisions and others, such as Finland and Latvia, opposing them. Here, the definition of ’risk’ has also been a source of some disagreement. The UK made a strong statement in favour of changing the instrument to a Directive, rather than a Regulation, suggesting that this would also speed up the process since consensus would be easier to achieve. In contrast, the Romanian and Italian representatives were of the opinion that if a Directive is chose, implementation will be much less consistent.

Health was specifically mentioned in only one of the presentations - the Belgian representative noted their concern with the Article 21 exceptions for social security and health and said that the public sector committees in Belgium had indicated that they would prefer to use their current, tailored processes in this area.

Finally, in response to a number of comments about the progress of the dossier, Mr Shatter brought the discussion to a close by stating that the file should continue to move forward ’for practical, not political reasons’.

Further information

EPHA related articles

Last modified on March 15 2013.