January 28, 2015 marked the ninth annual European Data Protection Day. To commemorate the day, Andrus Ansip, European Commission Vice-President for the Digital Single Market and Vera Jourová, the European Union’s (EU) Commissioner for Justice, made the following (some might say, ambitious), joint statement:
It is a day to celebrate and raise awareness of the importance of protecting personal data, a fundamental right for everyone in the EU.
. . .
We must conclude the ongoing negotiations on the data protection reform before the end of this year. By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data.
The reform to which the commissioner refers is the long-awaited General Data Protection Regulation (GDPR). When the European Parliament passed this legislation, it was due to be ratified sometime this year, but there are talks of a delay until 2016. Once ratified, the GDPR will automatically be applicable to all EU member states, without each one having to implement its own legislation.
The aim of the GDPR is to harmonize all current data protection laws across the EU. Ansip’s and Jourová’s statement refers to “one continent, one law,” as one of the main innovations of the European Commission’s data protection reform. The regulation seeks to establish a “one-stop-shop” for businesses, which will now need to deal with only one regulator, as opposed to dealing with individual information protection regulators in each of the 28 member states. However, all companies, regardless of whether they are based in the EU, will be accountable and may be fined up to 2 percent of their global turnover for breaches. The GDPR will seek to hand more power back to the individual citizen by requiring that consent to processing data be explicit rather than implied, by making access to data easier, and by facilitating the “right to be forgotten.”
However, there have been concerns raised about how the GDPR will be implemented across the 28 member states, and how businesses will incorporate the many new requirements. German Green MEP Jan Philipp Albrecht, vice-chairman of the European Parliament’s civil liberties committee and coauthor of the report that proposed these tougher requirements, said that the delay was exposing European citizens’ personal information to security services and perhaps computer hackers and that it was “bad for democracy.” His report was approved overwhelmingly by the European Parliament in March 2014 and progress in EU data protection reform was hailed as “irreversible.” Irreversible it may be, imminent it seems not.
Albrecht said that Germany, France, and the United Kingdom were all holding up the negotiations. Germany is concerned with how the GDPR might erode the sovereignty of the country’s powerful regions, or “L?nder,” as compared to the federal government. Germany and France are both sensitive to the idea that data issues could be decided in the smaller member states with less established data protection traditions. The United Kingdom is opposed to having a GDPR at all, preferring that the EU adopt a new directive in place of the old one, with members states then free to bring it into force in their own way, as indeed they are proposing to do this year with tougher sanctions against nuisance callers and spammers.
Despite the European Parliament’s keenness to move things along, the EU Council of Ministers (that is, the representatives of the member states’ government), must adopt the GDPR contents in the “ordinary legislative procedure.” This involves agreeing to draft legislation with the European Parliament before the European Commission agrees on the final text. So there is still some way to go before the GDPR is adopted. Once it is approved, there will be a period of at least one year or more before countries are required to implement it. So the GDPR will more likely go into effect in 2018.