The European Commission introduced far-reaching proposals to amend Europe's data protection laws on 25 January 2012. We first reported on those proposals, which stretched to some 119 pages, in our initial Alert the same day and our update on 16 February 2012.
Much as was anticipated then, the proposals have turned out to be something of a political hot potato, with many of the proposals receiving political attention throughout Europe.
Laws like this in Europe need the consensus of three separate bodies to become law:
- The European Commission (in this case, the proposer of the new laws),
- The European Parliament and
- The Council of the European Union ("the Council").
In addition, the data protection regulators of each of the EU member states have also analyzed the proposals in detail. Last week, the UK data protection authority, the Information Commissioner Christopher Graham, published a letter he wrote to The Right Honourable Chris Grayling MP, Secretary of State at the Ministry of Justice, reminding the UK Government of some of his concerns. The Information Commissioner felt that it was timely to remind the UK government of some of the flaws in the proposals ahead of the Council's meeting to discuss these issues.
The Information Commissioner's conclusions are not entirely positive. He says:
"As things currently stand, for all the recent talk about proportionality and risk, I see real problems ahead with the practical delivery of a Regulation that is still so detailed and specific as to the processes DPAs [Data Protection Authorities] shall undertake in almost all circumstances."
Mr. Graham lists a number of concerns, including:
- The requirement for all data breaches to be notified to the DPA, rather than just those which pose significant risk (a concern that we reported on in our original Alert in more detail).
- The fact that prior authorization is to be required for international transfers where this is not required under the current regime (only some countries require prior notification of a transfer—it may be hard to foresee how introducing this requirement across Europe could be said to be meeting one of the European Commission's stated intentions of reducing bureaucracy when this would in fact increase it).
- Limited discretion of DPAs over administrative sanctions, which are imposed on the basis of process failures rather than on privacy risks.
Mr. Graham also expresses concern that the regime is bound to be very costly. He says that the European Commission's long-promised study on the funding of DPAs has still not been published, "but, given the state of the public finances across the EU and the more obviously higher priority causes competing for funding, it is surely questionable that there will be much more money available for DPAs than there is now." Mr. Graham also expresses concern about the funding of the data protection regime when coupled with the European Commission's proposal to abolish the notification system. Registration fees fund data protection enforcement authorities throughout much of Europe. The Information Commissioner points out that replacing registration fees with central funding is likely to be seen as compromising the independence from government of DPAs, which is an essential part of the current regime.
The Council's Position
EU member states take turns presiding over the Council. Currently, the presidency is held by Ireland, with Lithuania due to take over at the start of July. Ireland has tried to bring some sense to the European Commission's proposals and at the end of May, released a draft compromise text that deals with some of the flaws in the original proposed Regulation, including some of those which we highlighted in our original Alert. For example, Ireland proposes that the time frame for reporting security breaches to be extended to 72 hours (rather than the 24 hours proposed by the Commission) and proposes adding a materiality threshold for a security breach to be reported, which is similar to the threshold that exists in breach legislation in most U.S. states. Again, like the United States, Ireland proposes that security breaches not involving a potential compromise of personal data (such as where the data was encrypted) need not be reported.
Ireland also suggests reducing the European Commission's proposal to reserve powers to the European Commission itself to deal with some aspects of data protection law without scrutiny by the Council or Parliament. This again is likely to be welcomed given the absence of clarity in the European Commission's original Regulation and the European Commission's track record in some areas of less-than-timely and less-than-clear updates.
Where Do We Go from Here?
The future path of the new laws is still far from certain. Some 3,000 amendments to the proposed Regulation have been suggested, and there is still much work to be done—both in the Parliament and in the Council—to finalize a draft that takes into account all of those concerns. Reports from Paris suggest that the Irish compromise would still not be acceptable to France. Spain, Italy and Germany may also still have concerns in addition to those of the UK Information Commissioner. It would seem unlikely that that work will be done before the summer break. When the Regulation was first proposed, we felt that the earliest realistic date was sometime in early 2015. That estimate would still be the best guess, although the concerns over the Commission's original proposals indicates there could be yet further delay.