Feeds

Euro wonks lay SMACKDOWN on draft data protection rules

Little love for proposed privacy regulation

The Power of One Brief: Top reasons to choose HP BladeSystem

DAPIX is the Working Party on Information Exchange and Data Protection, where delegations of civil servants from the European Union's member states discuss the Commission’s Data Protection Regulation.

But the minutes of the meeting held on 23 and 24 February reveal that there are deep divisions as to the content of the regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.

I can also reveal the commission’s “hoped-for” timescale for the discussions about the regulation to reach a conclusion. The commission is aiming to have agreement between member states on the content of the regulation by June 2014 (before the elections to the European Parliament). If one assumes a two-year lead-in, then the new regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the regulation, but there is no immediate need to implement any measure to meet its content.

At the meeting, the commission said that there was a “quadrant of objectives underlying the commission's proposals”. These were:

  • Stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;
  • The protection of fundamental rights;
  • The adoption of legal instruments that are flexible enough to adapt to future technological developments; and
  • Legal certainty (note: I think the last one is moderately amusing given the 120-page length of the regulation as published!).

Wasn't the regime supposed to simplify data protection rules?

The minutes record that there was “a real need for reform of the EU data protection regime”, but divergence on what was really needed. For instance:

  • “Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection."
  • “Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors.”
  • “A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector."
  • “As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations.”
  • “Some delegations strongly advocated a more risk-based approach for the future EU data protection regime.”

The minutes record that “a significant number of delegations stated they would have preferred a directive” and that “a few delegations [thought] that a regulation was too prescriptive”. One delegation “thought that a regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the regulation”.

Many delegations “criticised the many instances in which the proposal delegated powers to the commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed regulation, namely: to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether it was the UK?)

But we have no budget for that!

Finally, the minutes noted that:

  • “Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral.”
  • “Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability.”
  • “A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance.”
  • “The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets.”
  • “Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs.”

Get the drift of these discussions yet? Do you get the impression that the minutes show that member states are as harmonious as a busyness of ferrets in a sack?

Call your bookie

Well if this level of “agreement” continues, then the regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many along the lines of “if you support our view about consent we will support your line on data protection officers”. Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".

I suspect “blocking” will be the name of the tactical game played by all member states when they discuss the content of the regulation. In other words, be prepared for agreements about the text of the regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.

Also, if you can get odds on the regulation not being implemented by 2018, please let me know!

References

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Designing a Defense for Mobile Applications

More from The Register

next story
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.