Feeds

Euro wonks lay SMACKDOWN on draft data protection rules

Little love for proposed privacy regulation

Top three mobile application threats

DAPIX is the Working Party on Information Exchange and Data Protection, where delegations of civil servants from the European Union's member states discuss the Commission’s Data Protection Regulation.

But the minutes of the meeting held on 23 and 24 February reveal that there are deep divisions as to the content of the regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.

I can also reveal the commission’s “hoped-for” timescale for the discussions about the regulation to reach a conclusion. The commission is aiming to have agreement between member states on the content of the regulation by June 2014 (before the elections to the European Parliament). If one assumes a two-year lead-in, then the new regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the regulation, but there is no immediate need to implement any measure to meet its content.

At the meeting, the commission said that there was a “quadrant of objectives underlying the commission's proposals”. These were:

  • Stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;
  • The protection of fundamental rights;
  • The adoption of legal instruments that are flexible enough to adapt to future technological developments; and
  • Legal certainty (note: I think the last one is moderately amusing given the 120-page length of the regulation as published!).

Wasn't the regime supposed to simplify data protection rules?

The minutes record that there was “a real need for reform of the EU data protection regime”, but divergence on what was really needed. For instance:

  • “Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection."
  • “Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors.”
  • “A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector."
  • “As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations.”
  • “Some delegations strongly advocated a more risk-based approach for the future EU data protection regime.”

The minutes record that “a significant number of delegations stated they would have preferred a directive” and that “a few delegations [thought] that a regulation was too prescriptive”. One delegation “thought that a regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the regulation”.

Many delegations “criticised the many instances in which the proposal delegated powers to the commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed regulation, namely: to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether it was the UK?)

But we have no budget for that!

Finally, the minutes noted that:

  • “Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral.”
  • “Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability.”
  • “A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance.”
  • “The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets.”
  • “Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs.”

Get the drift of these discussions yet? Do you get the impression that the minutes show that member states are as harmonious as a busyness of ferrets in a sack?

Call your bookie

Well if this level of “agreement” continues, then the regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many along the lines of “if you support our view about consent we will support your line on data protection officers”. Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".

I suspect “blocking” will be the name of the tactical game played by all member states when they discuss the content of the regulation. In other words, be prepared for agreements about the text of the regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.

Also, if you can get odds on the regulation not being implemented by 2018, please let me know!

References

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Combat fraud and increase customer satisfaction

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.