Euro wonks lay SMACKDOWN on draft data protection rules
Little love for proposed privacy regulation
DAPIX is the Working Party on Information Exchange and Data Protection, where delegations of civil servants from the European Union's member states discuss the Commission’s Data Protection Regulation.
But the minutes of the meeting held on 23 and 24 February reveal that there are deep divisions as to the content of the regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.
I can also reveal the commission’s “hoped-for” timescale for the discussions about the regulation to reach a conclusion. The commission is aiming to have agreement between member states on the content of the regulation by June 2014 (before the elections to the European Parliament). If one assumes a two-year lead-in, then the new regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the regulation, but there is no immediate need to implement any measure to meet its content.
At the meeting, the commission said that there was a “quadrant of objectives underlying the commission's proposals”. These were:
- Stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;
- The protection of fundamental rights;
- The adoption of legal instruments that are flexible enough to adapt to future technological developments; and
- Legal certainty (note: I think the last one is moderately amusing given the 120-page length of the regulation as published!).
Wasn't the regime supposed to simplify data protection rules?
The minutes record that there was “a real need for reform of the EU data protection regime”, but divergence on what was really needed. For instance:
- “Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection."
- “Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors.”
- “A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector."
- “As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations.”
- “Some delegations strongly advocated a more risk-based approach for the future EU data protection regime.”
The minutes record that “a significant number of delegations stated they would have preferred a directive” and that “a few delegations [thought] that a regulation was too prescriptive”. One delegation “thought that a regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the regulation”.
Many delegations “criticised the many instances in which the proposal delegated powers to the commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed regulation, namely: to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether it was the UK?)
But we have no budget for that!
Finally, the minutes noted that:
- “Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral.”
- “Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability.”
- “A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance.”
- “The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets.”
- “Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs.”
Get the drift of these discussions yet? Do you get the impression that the minutes show that member states are as harmonious as a busyness of ferrets in a sack?
Call your bookie
Well if this level of “agreement” continues, then the regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many along the lines of “if you support our view about consent we will support your line on data protection officers”. Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".
I suspect “blocking” will be the name of the tactical game played by all member states when they discuss the content of the regulation. In other words, be prepared for agreements about the text of the regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.
Also, if you can get odds on the regulation not being implemented by 2018, please let me know!
- The EU minutes on the proposed Regulation (PDF) – there are comments on the Directive as well).
- “The Regulation: what are the big changes to the Data Protection Act regime?”
- “EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights”
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: The Nuts and Bolts of Ransomware in 2016