EC Commissioner Oettinger makes noteworthy comments during a conference in Munich regarding the pending EU Data Protection Reform.

Background

In 2012, the European Commission (EC) proposed a major reform to the European Union’s (EU’s) legal framework regarding the protection of personal data. This reform would expand the reach of the EU’s 1995 Data Protection Directive (the Directive) and harmonize the Member States’ often inconsistent implementation of the Directive. Although the stated goal of the reforms is to strengthen individual rights and address the challenges of globalization and new technologies to lessen the administrative burdens of compliance for companies, if adopted, these reforms will also change the landscape for U.S. companies that do business in Europe. Among the most significant, the proposed reforms would

  • Expand EU jurisdiction over U.S. companies—even those that don’t have branches, offices, or facilities in the EU.
  • Impose higher penalties for violations of EU data protection laws (the current proposal fines up to 5% of global revenue for a company).
  • Contain new EU-wide rules on data security breaches and how to deal with them.
  • Increase notification requirements for international data transfers, such as for U.S. litigations and investigations.

During a recent conference in Munich, EC Commissioner Günther Oettinger discussed his vision of the Directive and the potential impact of the proposed reforms. He said that, by the end of 2015, the EC intends to submit a proposal for a common European Data Protection Directive that addresses the need for secure “European cloud” data storage. By May 2015, the EC is also expected to publish its strategy for the digital sector. Mr. Oettinger pointed out that, currently, the Member States, with their 510 million people, have one market for such things as food, Bordeaux, and cars but face a fragmented market for digital products and services. Twenty-eight distinct regulations, data protection rules, and regulators exist in the name of implementing the Directive. Mr. Oettinger acknowledged that fragmented implementation does not create a favorable environment for start-ups and investors in the IT sector.

Comments

Mr. Oettinger’s remarks can be evaluated in light of the ongoing debate as follows:

  • If a final EC proposal is not ready any time soon, a final decision on the EU data protection reform in 2015 is not very likely. Jan Philip Albrecht, data protection rapporteur at the European Parliament on the EU reform package, is optimistic about the EU Council reaching its negotiating position this summer and reaching a final decision by the end of 2015.
  • The reform may be further delayed by the growing debate about whether the EU should institute EU-wide mandatory traffic data retention to assist with antiterrorism efforts. Data traffic retention could clash with some provisions of the proposed reforms (e.g., data deletion requirements, reimbursement of the providers, and preventing data access by the U.S. National Security Agency).
  • Mr. Oettinger prefers that the Directive be a legal tool for the reform instead of a directly enforceable EU regulation. This could mean further delays before the new rules are implemented in the EU Member States, and national regulators could proceed with individual enforcement that goes beyond the reform package.
  • Mr. Oettinger favors the “one-stop shop” concept, whereby a provider is regulated by one data protection agency (DPA) only while doing business throughout the entire EU. Although the concept helps U.S. companies avoid unnecessary bureaucracy, this remains a highly contested provision of the proposed reforms. The main issue of contention is how the lead DPA would interact with the DPAs in other Member States and handle EU customer complaints.
  • Other EC commissioners, such as Vĕra Jourová, the new commissioner in charge of Justice, Consumers and Gender Equality, may try to gain some profile by modifying Mr. Oettinger’s proposals or by promoting her own plans.

In sum, it appears that Mr. Oettinger is realistic about the challenges that the EU faces in implementing data protection reform and is open to industry suggestions for the privacy sector, particularly in areas where Europe is strong, such as the car industry, health, and digital infrastructure.