'Progress made' as EU aims to get new data protection laws ASAP
Brussels moves like striking cobra, looks to achieve October agreement
The second round of negotiations on the new EU General Data Protection Regulation (GDPR) saw real movement on Tuesday, according to negotiators.
Sources familiar with the discussions told El Reg that a tentative political agreement has been reached already on Chapter 5 and Article 3. These two elements focus specifically on territorial scope and international data transfers.
According to the text, any company processing data of a European citizen in the European Union is subject to EU law and any transfer of data outside the EU must meet certain adequacy standards. This is more or less what is already enshrined in the current 1995 data protection laws, so it is a logical place to start the so-called trialogue talks. Broad political agreement means that "all we really need to do now is nail down the exact wording," said a source.
Getting consensus between the European Parliament, the Commission and the Council of national justice ministers often proves difficult. But against the external backdrop of the Snowden revelations, reform of the EU-US safe harbour agreement and challenges to jurisdiction by Microsoft and Facebook, there has been a notable push to get the GDPR onto the law books as soon as possible. Negotiators have set themselves an ambitious deadline - the Justice and Home Affairs Council meeting in October.
One sticking point in Tuesday’s negotiations was the issue of exceptions for national security, something that the Luxembourg delegation, which leads the talks for all 28 national ministers, was inflexible on. However sources said that “an avenue is clear for agreement”.
The more difficult parts of the law will be tackled after the institutions’ summer break - the next meeting is scheduled for 1 September. It is unlikely that areas such as the rights of consumers, duties of data controllers and limitations on further processing of data for incompatible purposes will be dealt with as easily as Chapter 5 and Article 3.
A Data Protection Directive, which covers law enforcement agencies (as opposed to the regulation which applies to companies), is also on the table and Parliamentary representatives have said they want the two laws to be treated as a package. ®