How long do we need to wait for GDPR to be approved?

time-clockThe Presidency of the EU Council is in the hands of the Latvians until June and urged on by European Commission they’ve highlighted data protection reform across Europe as a key priority. Data protection reform may not grab national news headlines here in the UK but the consequences of what will become law across all 28 EU Member States will have far reaching implications for the Government put in charge of running the country after the British General Election is decided in May 2015.

As discussed in blogs on this and many other websites, the spate of data breaches and the security implications for millions of European citizens continues to grow bigger on a daily basis.

And yet those in Brussels appear incapable of pushing ahead with agreement on a single EU Regulation that rebalances the rights and obligations of organisations that hold at least 5,000 records alongside the protection demanded by those individuals who have chosen to share data with those organisations as well as seeking protection against organisations that have their data in the absence of consent.

The optimist camp is looking to have everything wrapped up by the middle-end of this year. This will be line with the European Commission’s commitment to have all the measures in place that are necessary for a thriving ‘digital economy’ in Europe by 2015.

And the pessimist camp don’t hold out much hope of an ‘entente cordiale’ breaking out anytime soon.

However, judging by how things are moving, the pro-camp for the GDPR are definitely gaining more ground. For example, the Council of Ministers has reached consensus on flexibility for the public sector in terms of its compliance under the GDPR, something which had been a sticking point for one Member State in particular. And the much trumpeted ‘one stop shop’ for business and individuals to turn to when they have a complaint, irrespective of where that may have taken place within the EU, has also achieved agreement.

So perhaps the spirit of compromise is alive and well. What’s hopeful is that we are now entering the “trilogue negotiation stage” and one major hurdle has already been cleared.

About a year ago, the European Parliament agreed its amendments to the GDPR and even though there have been elections since then and a new Parliament, its position remains the same.

The challenge now is getting agreement achieved by the Council of Ministers on their respective preferred amendments to the original draft proposals and the European Commission does the same.

And then collectively agreement is required between the European Parliament, the Council and the Commission via three-way “trilogue” negotiations.

The sticking point appears to be with the Council that’s made up of representatives from Member States and reforms are discussed within its DAPIX Committee.

So far, there’s been ‘partial agreement’ by the Council on matters such as international transfers, obligations on controllers and processors (the so called ‘risk based approach’) and the provisions relating to specific data processing situations such as research.

This means that they’ve reached high level agreement on the approach in these areas, even if individual Member States may still have reservations on some of the detail.

But surely the time for procrastination is rapidly evaporating and the EU Member States now need to show leadership. I doubt the Council’s “nothing is agreed until everything is agreed” is a demonstration of bold leadership in action, is it? I doubt the Harvard Business Review will feature this as a piece of best practice in management thinking?

And yet this is the position of the Council – forget the exposure of risk to millions of EU citizens who deserve a modern, fit for purpose data protection law that should create consistency across all EU Member States – let’s play politics instead!

Until the Council eventually comes to a final agreement on its proposed amendments, even these partially agreed areas can be revisited – causing the reforms to data protection to be further delayed and the timescale for reform getting even longer.

However, the Information Commissioner’s Office (ICO) is publicly urging all organisations not to adopt a ‘wait and see’ approach but crack on with changing the way they store, secure and use data under the new EU data protection regime that exists at present.

“Together with our fellow data protection authorities in the Article 29 Working Party, we are urging everyone to get a move on.

“As we’ve said before, there’s no doubt reform is needed, and it’s needed even more now than it was three years ago! It really doesn’t help the effective protection of individuals, which is what data protection is all about, for businesses to be left in continuing uncertainty about what is going to be required of them.

“It’s important to get the new law right, of course, but the Parliament has reached agreement and all the basic concepts of data protection are well established and still valid, so it’s hard to see why it’s all proving so difficult in the Council. When they do finally reach agreement we will analyse their proposed amendments and provide a commentary.

“At that stage we’ll still be offering advice on what we see as the key questions to be addressed in the trilogue,” explains David Smith, Deputy Commissioner and Director of Data Protection, ICO.

The ICO is currently forming a view on the following issues that will need to be considered under the current trilogue:

  • the scalability of the obligations under GDPR, particularly for small business;
  • the provisions on profiling and risk;
  • the definition and use of pseudonymisation of data;
  • the ‘one stop shop’ and associated consistency mechanism across all EU Member States;
  • the right of erasure and the GDPR’s enforceability outside of EU jurisdiction; and
  • the duties of data protection authorities (DPAs) in individual EU Member States including the imposition of sanctions that could be up to 5% of global turnover or €100m.

Designing privacy rules fit for the 21st century can be largely a matter of subjectivity according to many lawyers who are commentating on this issue right now. And although no two people will ever share the exact same interpretation of “privacy” this can be exacerbated on a pan-European level although it’s hoped that those in Brussels will see that time really is running out.


Leave a reply