Coinciding with ‘Data Protection Day’ on 27 January 2014, the European Commission released a memorandum confirming the status of the anticipated reform of the European data protection framework. The promised overhaul of the 1995 EU Data Protection Directive (95/46/EC) has certainly not been as rapid as hoped, with publication of the memorandum marking exactly two years since reform was first proposed in January 2012. Over this time, we have monitored and reported on the frustrating to-ing and fro-ing in discussions among the EU’s 28 member states, which has led reform to be significantly delayed (see our previous blog).
Eager to push forward, Vice President Viviane Reding has commented, “Europe has the highest level of data protection in the world. With the EU data protection reform, Europe has the chance to make these rules a global gold standard. The European Parliament has led the way by voting overwhelmingly in favour of these rules. I wish to see full speed on data protection in 2014.”
To finalize the reform, European Parliament and the EU Council must separately agree their positions on the draft proposals, before proceeding to negotiating the final outcome. The EU Council is expected to finalize its position by mid-2014, with aim to strike a deal with the Parliament by the end of 2014. Reform certainly seems to be a priority for the new Greek Presidency, who convened a meeting in Athens on 22 January 2014 with the European Commission and two European Parliament Rapporteurs, Jan-Philipp Albrecht and Dimitrios Droutas, and with Italy, the next EU Presidency, to agree a road map for swift data protection reform in 2014.
European Parliament spokeswoman Natalia Dasilva has commented that as part of the April 2014 Plenary session, Parliament is expected to adopt the LIBE version of the draft regulation, which was successfully voted on back in October 2013 (see our previous blog). A summary of some of the key points under the LIBE draft included:
- The right to be forgotten
- The right to data portability
- Explicit consent requirements
- Notification of serious data security breaches to data subjects and supervisory authorities within 24 hours
- One continent, one law: single pan-European law for data protection to replace current inconsistent patchwork of national laws
- One-stop-shop: organisations will only have to deal with one single supervisory authority
- Data protection authorities to have strong enforcement powers, including ability to fine companies up to 2%-5% of their global annual turnover
- Regime for notifications to supervisory authorities will be scrapped
While certain aspects of the LIBE draft remain controversial, if Parliament should proceed to adopt this version, it will avoid starting the whole procedure from scratch, and will eliminate the fear that details of the text could be reopened for discussion causing even further delay.