Where is Europe’s data protection reform going?
Europe’s data protection laws are out-of-date. Remarkably the current Data Protection Directive failed to take account of the internet when it was enacted (that’s not my opinion, it’s the judgment of the CJEU). The entry into force of the Lisbon Treaty in 2009 created a new legal basis for the EU to legislate for data protection, not just the single market. The European Commission published its proposal for a data protection regulation in January 2012, a lot of discussion has followed since then, but it’s still not clear if and when the regulation will be enacted. Progress seemed to be made last year, with the EU Parliament agreeing its own proposal in October, but progress then stalled in the European Council.
Greece took over the Presidency of the EU in January 2014; this role will pass to Italy in July. In January the present Greek Presidency and the future Italian Presidency agreed upon a roadmap. This would entail the Council agreeing its position by June. Trialogue between Council, Parliament and Commission would then commence with enactment anticipated by years-end.
Negotiations are continuing. The European Data Protection Supervisor sought to intervene in these by means of a letter, published on Valentine’s Day. This identified a number of issues that are still being discussed by the European Council.
- Firstly there is the proposal to exclude public bodies from the scope of the Regulation. This might work, if it were confined to the functions of central government but the reality is that public bodies are intermingled with the private sector throughout Europe This would have the effect of creating one regime for data that is processed by a public hospital and another for data that is processed by a doctor who is in private practice. You would similarly have one regime for State schools and another for private.
- Secondly, there is the one-stop shop. Europe needs to provide clarity as to who is responsible for supervising the data processing undertaken by controllers. The Commission had proposed that this role would be undertaken by the supervisor of the territory in which the controller was based. So a company based in France would be subject to the French data protection supervisor. The Commission proposal went onto provide consistency and co-operation mechanisms. Concerns have been raised about this approach, most notably by the European Council’s own legal advisor. But it’s very hard to see how dividing up supervisory responsibility between up to 29 different supervisors (those of the 28 Member States plus the EDPS) will improve supervision.
- Finally there is the risk based approach to accountability. This would require that controllers be able to demonstrate that they have considered the risks of a particular data processing operation.
The next significant event is the JHA Council on Tuesday, 4th March. EU Justice Ministers are due to discuss the proposed data protection regulation at that event.
Where is it going?
It’s hard to say. Whilst the make-up of the European Council will not change this year, the make-up of the European Parliament and Commission will. European Parliament elections are in May; the term of the current Commission will end on 31st October next. There had been hopes that the Regulation could have been enacted before the current term of the Parliament ended; those hopes have now transferred to the term of the current Commission. The EU Council did commit to ensure the enactment of the Regulation “by 2015”. Whether that commitment can be met remains to be seen.
Denis Kelleher, 22nd February 2014