Feeds

Euro wonks lay SMACKDOWN on draft data protection rules

Little love for proposed privacy regulation

Intelligent flash storage arrays

DAPIX is the Working Party on Information Exchange and Data Protection, where delegations of civil servants from the European Union's member states discuss the Commission’s Data Protection Regulation.

But the minutes of the meeting held on 23 and 24 February reveal that there are deep divisions as to the content of the regulation; in fact, the minutes record that only “a few delegations supported the Commission in its choice of a Regulation”.

I can also reveal the commission’s “hoped-for” timescale for the discussions about the regulation to reach a conclusion. The commission is aiming to have agreement between member states on the content of the regulation by June 2014 (before the elections to the European Parliament). If one assumes a two-year lead-in, then the new regulation should be in force by June 2016. That is why readers should keep a watching brief on the content of the regulation, but there is no immediate need to implement any measure to meet its content.

At the meeting, the commission said that there was a “quadrant of objectives underlying the commission's proposals”. These were:

  • Stimulating growth by building confidence as the result of using uniform data protection rules applicable throughout the European Union;
  • The protection of fundamental rights;
  • The adoption of legal instruments that are flexible enough to adapt to future technological developments; and
  • Legal certainty (note: I think the last one is moderately amusing given the 120-page length of the regulation as published!).

Wasn't the regime supposed to simplify data protection rules?

The minutes record that there was “a real need for reform of the EU data protection regime”, but divergence on what was really needed. For instance:

  • “Some delegations felt that the Commission should have been more radical in its proposal for overhauling the data protection regime and dared to abandon some of the existing main rules and concepts on data protection."
  • “Many delegations had serious concerns that this newly proposed data protection regime, rather than simplifying the data protection rules as it intended, would result in an increased administrative burden on both the private and public sectors.”
  • “A number of delegations thought that the proposed Regulation did not distinguish sufficiently between the position of, and rules applicable to individuals, small and medium-sized enterprises (SMEs), large international enterprises and the public sector."
  • “As regards the private sector, several delegations argued that the number of employees a company employed should not be the decisive criterion for differentiating as to the applicability of a number of data protection rules, but that this should instead hinge on the data protection risk inherent in specific types of data processing operations.”
  • “Some delegations strongly advocated a more risk-based approach for the future EU data protection regime.”

The minutes record that “a significant number of delegations stated they would have preferred a directive” and that “a few delegations [thought] that a regulation was too prescriptive”. One delegation “thought that a regulation might be appropriate for the private sector, but not for the public sector”. By contrast, “another delegation thought it would have been preferable to have brought the judicial and police sector under the scope of the regulation”.

Many delegations “criticised the many instances in which the proposal delegated powers to the commission to flesh out the rules of the General Data Protection Regulation through delegated acts” and that the Commission “was undermining one of the main aims of the proposed regulation, namely: to simplify data protection rules”. The prospect that “delegated acts could eventually lead to an (implicit) modification of national procedural legislation was considered unacceptable by one delegation” (I wonder whether it was the UK?)

But we have no budget for that!

Finally, the minutes noted that:

  • “Whilst welcoming the concepts of privacy by design and the attention to privacy-enhancing technologies, some delegations queried whether the proposed Data Protection Regulation was sufficiently technology-neutral.”
  • “Some delegations expressed concerns as to the technical feasibility of concepts such as the right to be forgotten and the right to data portability.”
  • “A few delegations considered the rules on the data protection officers (DPOs) to be too prescriptive. It was also stressed that the DPOs could find themselves with conflicting roles if they were meant to perform controlling tasks whilst maintaining an independent stance.”
  • “The increased role of the data protection authorities (DPAs) in the draft regulation was welcomed, however the increased tasks of the DPAs would inevitably have to be matched by a substantial increase of their staff and budget, which was not easy at a time of economic crisis and austerity of public budgets.”
  • “Several delegations said the sanctions provided by the draft regulation were too heavy, especially for SMEs.”

Get the drift of these discussions yet? Do you get the impression that the minutes show that member states are as harmonious as a busyness of ferrets in a sack?

Call your bookie

Well if this level of “agreement” continues, then the regulation will not see the light of day in its current form. There is likely to be a number of compromises with the text, many along the lines of “if you support our view about consent we will support your line on data protection officers”. Underpinning any lack of agreement will be Article 16 of the Consolidated Version of the Treaty on European Union; this states that "a blocking minority must include at least four Council members, failing which the qualified majority shall be deemed attained".

I suspect “blocking” will be the name of the tactical game played by all member states when they discuss the content of the regulation. In other words, be prepared for agreements about the text of the regulation, not to be made for the best of data protection reasons, but on grounds reached as result of horse-trading in smoke-filled rooms somewhere in the bars of Brussels.

Also, if you can get odds on the regulation not being implemented by 2018, please let me know!

References

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.