The European Commission proposed reforming the EU data protection framework two years ago. But a new General Data Protection Regulation has yet to be adopted. We expect the Regulation to be adopted in 2015, but it will not enter into force until 2017.
Proposed Privacy Regulation
In January 2012, the European Commission had proposed to revise and update the EU data protection framework, and it released the Proposed Privacy Regulation to replace the Data Protection Directive. A year later, a member of the European Parliament, Albrecht, lead rapporteur for the Civil Liberties, Justice and Home Affairs Committee of European Parliament (LIBE Committee), published a draft report, which was followed by the submission of over 3,000 amendments as a result of extensive lobbying. These amendments were integrated into a compromise: the text of the Proposed Privacy Regulation reflecting the position of the LIBE Committee on 21 October 2013.
Significant aspects of the LIBE Committee draft include:
- the maximum fine which data protection authorities may impose is increased to 5% of a company’s annual turnover
- with regard to the current one-stop-shop mechanism, a lead supervisory authority will be introduced that has to consult with all other competent authorities before taking appropriate measures
- consent for processing personal data is not a condition for the execution of the contract or the provision of the service if not necessary
- the right to erasure embodies the right to be forgotten
- data security breaches are to be notified with undue delay, that is, within 72 hours after detection of the breach
- a data protection officer has to be appointed when the processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period
- the controller or processor must perform a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects to determine whether the processing is likely to present specific risks
- there are minimum standards for processing data in an employment context
- in principle, decisions by administrative authorities and judgments of courts or tribunals of third countries that require a controller or processor to transfer personal data may only be obeyed with prior authorisation by the supervisory authority
- the controller must provide the data subject with specific information about how its data will be handled before providing any other information.
Timeline and obstacles
The EU Parliament is moving forward to adopt the Proposed Privacy Regulation in April 2014, well before the EU Parliamentary elections in May 2014. The EU Commission and LIBE Committee are also aiming to complete the data protection reform by the end of 2014. Yet, the EU Council has to be convinced to agree to the LIBE Committee draft, but so far it has not agreed on a position. Until the EU Council has done this, it seems likely that it will not enter into negotiations with the European Commission and LIBE Committee rapporteurs Albrecht and Droutsas. Other obstacles to overcome: a number of member states would rather have a directive than a regulation, and Germany is resisting a Privacy Regulation with a lower privacy standard than its current legislation and wants to impose “German standards” on all EU member states.
Is adoption before the end of 2014 possible?
Despite the goal of the EU Commission and LIBE Committee to adopt a final Privacy Regulation by the end of 2014, we do not expect this to happen until 2015. The EU Commission is eager for the EU Parliament to adopt the Proposed Privacy Regulation before the EU Parliamentary elections in May 2014, but some member states may impede adoption by the EU Council before the end of 2014.
- Expected 14-17 April 2014: plenary vote on Proposed Privacy Regulation (end of first reading by the EU Parliament)
- Expected July 2014: start of negotiations between LIBE Committee, the EU Council, and the European Commission on the amendments
- Expected by 2015: first reading by the EU Council
- Expected early 2015: conclusion of the legislative process
- Expected late early 2017: Privacy Regulation comes into force