Three years after launching a review into the EU’s existing data protection directive, the EU's Justice Council has agreed on a definitive proposal for a General Data Protection Regulation. If approved, it would replace the old 1995 Data Protection Directive and introduce one law with one set of enforcement rules for the entire European Union.
The proposed regulation – released on 15 June – could be introduced by the end of 2015, if negotiations with the European Parliament and the European Council conclude in the next six months.
The first ‘Trilogue’ meeting between the Commission, the European Parliament and the EU Council took place on 24 June. Commissioner Vera Jourová, who is responsible for justice and consumer protection, stated that the three institutions have agreed on a roadmap towards finalising the reform, saying that ‘we are on track to adopt the data protection reform in 2015.’
The Commission believes that the draft of the General Data Protection Regulation will strengthen consumers’ data privacy, particularly by introducing a ‘right to be forgotten’ clause, which forces companies or organisations to delete an individual’s data upon request where there are no legitimate grounds for keeping it.
Individuals will have a right to know if their data has been hacked, with organisations required to notify their national supervisory authority as soon as possible (often within 24 hours) if they suffer a serious breach. The proposals also include a right to data portability, which will make it easier for users to transfer personal data between service providers.
‘‘Having one regulation that is the same throughout the EU and is enforced in the same way … will provide much greater clarity for businesses and consumers
Martin Schirmbacher, Härting Rechtsanwälte in Germany; Vice-Chair, IBA Technology Law Committee
Companies based outside Europe will have to apply the same rules when offering services in the EU. Violations of the rules by any company – based either in the EU or not – can lead to penalties of up to €1 million or up to 2 per cent of the global annual turnover of a company (the exact fine limits still need to be agreed).
The Commission says the modernised rules will allow businesses to make the most of the opportunities presented by the Digital Single Market by cutting red tape. It estimates that by dealing with just one law, as well as their own national data regulator, instead of 28 different laws, businesses will save around €2.3 billion a year. Removing ‘unnecessary administrative requirements’, such as notification requirements for companies, will also save companies €130 million per year. Notification requirements were lodged when a company set up business in a new EU country, to ensure compliance with local data protection rules, regardless of whether the company was already compliant in another EU country.
Christopher Rees, a legal consultant specialising in technology law at Taylor Wessing and Chair of the IBA’s Computers and Database Committee, believes that the Commission’s plans are sensible. ‘The original directive was already out of step with technological innovations by the time it even took effect. [It] looked at data as a side-product of business operations, whereas now data is regarded as a commodity and there is a whole industry that is based on personal data usage.’
Martin Schirmbacher, technology law partner at German law firm Härting Rechtsanwälte and Vice-Chair of the IBA’s Technology Law Committee, says that ‘having one regulation that is the same throughout the EU and is enforced in the same way by each country will provide much greater clarity for businesses and consumers both inside and outside the EU.’
However, experts do not share the Commission’s optimism that the regulation will be a reality by the end of this year. ‘This regulation has been the subject of more lobbying than any other piece of EU legislation,’ says Dr Christian Hamann, data protection counsel at German law firm Gleiss Lutz. ‘It has already been delayed numerous times and that is bound to continue because the three EU institutions themselves do not share the same view of what the regulation should look like in practice.’
Ress agrees. ‘There is likely to be some more horse-trading between politicians and the likes of Google, Facebook and Twitter before the regulations are finally agreed upon and a firm timetable for implementation put in place,’ he says.
In March 2015 the former EU Justice Commissioner Viviane Reding spoke to the IBA as part of a live webcast about her vision for a digital single market. The EU’s recent proposals reflect the strong views she expressed on the issue of data privacy during the broadcast.
Privacy campaigners have dismissed the latest proposal as ‘meaningless’, saying that the rules will not strengthen individuals' rights over their personal information. Privacy International and European Digital Rights (EDRi), an organisation representing 33 separate groups, have accused the Commission of watering down the legislation. For example, the groups claim that there are 48 exceptions where member states can make their own rules. Additionally, they say that companies can continue to mine individuals’ data if they prove they have a ‘legitimate interest’ in doing so.
Furthermore, both privacy groups argue that the Commission previously said any regulation would ensure data processing would be kept to a minimum. The current draft regulation, however, simply says it must be ‘non-excessive’. Also, while EU citizens will get more information on how their data is being processed, they will not be told why it is being processed.
‘This agreement is quite simply a brazen effort to destroy Europe’s world leading approach to data protection and privacy,’ says EDRi's Executive Director, Joe McNamee.
‘If the purpose of this reform was to strengthen people’s control over their personal information and improve enforcement, our governments have achieved the exact opposite,’ adds Anna Fielder, Board Chair of Privacy International.
There are also practical concerns with the proposed regulation.
Agnieszka Szydlik, a lawyer at Wardynski & Partners in Poland, warns that while the draft regulation aims to cut bureaucracy for companies, some of its requirements – such as the duty to notify breaches – may well have the opposite effect. ‘Although the regulation is intended to limit bureaucracy, some entities will have new obligations when it comes into force. For example, the preparation of a privacy impact assessment and documentation, which would need to be conducted by a data protection officer, may involve a lot of effort.’
Schirmbacher also believes that there are several negative points relating to the rules as they currently stand. ‘The draft regulation is only perpetuating privacy rules that are currently in place, without targeting the various issues associated with “new media” ’, he says. ‘Basically, the draft just reflects existing data protection ideas and merely adds some flavour here and there (such as the right to be forgotten), but it does not reflect the fundamental change that would be necessary in terms of the technological advances with regards to the internet of things and big data’.
He also believes that ‘the draft has got no answer to the ambivalence of freedom of speech and the freedom of communication and the right to privacy. For example, if I take a picture of my friend and upload this to Facebook I might infringe the right of privacy of the person in the background – I would have to ask permission. Is that really a problem?’
Neil Hodge is a freelance journalist and can be contacted on firstname.lastname@example.org