“The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer”.
This is the opening of Article 35 of the Regulation as amended and approved by the EU Council on the 11th of June and which the Presidency submits for approval as a General Approach.
Even limiting the scope of the evaluation to the following sentence, it is clear that major changes have been made to the previous version that stated: “The controller and the processor shall designate a data protection officer in any case where…”.
First change: “Shall” becomes “may”. That is, it becomes an option to appoint the data protection officer. This is in line with Recital 75 that states: “Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person with expert knowledge of data protection law and practices may assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.”
Second change: “or where required by Union or Member State law shall …“. This is quite a strange change, considering that one of the objectives of the new regulation was “one continent, one regulation” as opposed to the current situation where it is “one directive, 28 laws”. With the version approved by the EU Council, member States are again in the position to define their specific approach to Personal Data Protection and, consequently, to differentiate the rules and competition among States.
No incentives are in place to push the organizations to appoint a DPO, or, at least, they are very difficult to identify.
It is quite clear that the decision taken by the EU Council aims to remove a rule that could produce additional costs, especially for small and medium enterprises, without deleting it formally and taking into account that some member States may have already introduced such a rule.
Considering that almost all large enterprises already have a privacy department, stating that “… a person with expert knowledge … may assist the controller…” doesn’t mean that much.