Reports of the potential demise of the General Data Protection Regulation following the departure of Justice Commissioner Vivienne Reding appear to have been exaggerated. Over three-and-a-half years since the process started, it seems like the General Data Protection Regulation may become law as early as December this year.
The Regulation is now in the Trialogue stage where representatives of the European Commission, Council and Parliament will try to agree a final text. Substantial differences still exist between the Parliament’s position (which essentially seeks to maximise the protection available for individuals data) and the Council (which has adopted a more business friendly approach). Of interest from a cyber insurance perspective, the Council is proposing the compulsorily notification of breaches within 72 hrs (rather than 24), limit the obligation to notify to “serious” breaches, suggests that compulsory appointment of a data protection officer should be a matter for local regulators and rejects the fines of up to €100m or 5% global turnover suggested by the Parliament (although it has not made a firm counter-proposal on this question).
Given the significant areas of difference and the time taken for the Regulation to reach this stage it remains to be seen whether a final text can be agreed by December. However, it now seems to be only a matter of time before the Regulation becomes law. Attention is now turning to how the “one stop shop” regulatory regime imposed by the Regulation will affect regulators’ behaviour. On the one hand will regulators funded by a levy on data subjects attempt to adopt a “light touch” approach in an effort to attract large data processors to their jurisdiction. Conversely, regulators reliant on the income from fines for funding may be encouraged to take a more aggressive approach.