Privacy Advisor

Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation

October 3, 2013

By Jedidiah Bracy, CIPP/US, CIPP/E

Here at the IAPP Privacy Academy in Seattle, WA, much of the discussion has centered on operational privacy considerations and emerging trends in data protection. In the background looms a partially shut down U.S. government, with both political parties holding their ground in what may be a long, uncompromising political slog that has affected the privacy world in at least a small way: FTC Commissioner Maureen Ohlhausen was forced to Skype in to her session here, while Julie Mayer, FTC staff attorney, and Janis Kestenbaum, FTC counsel, were unable to join their panels at all.

Nine time zones east of here, the EU is going through a gauntlet of compromise and complexity itself.

The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes.

To frame the current state of the regulation, Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E, cited the 1960 Eddie Cochran song “Three Steps to Heaven.” One, find a girl to love; two, she falls in love with you, three, kiss and hold her tightly.

“Well, the EU decided there are more than 30 steps to heaven,” McDougall noted. “This is the process we are in to get the draft regulation, and ladies and gentlemen, we are currently on step one.”

Why is the EU still on step one?

McDougall cited two main reasons for this perceived rut. “There is genuine disagreement—this can’t be understated—this is not just politicking. There are fundamental disagreements” among different parties. Additionally, he noted, “there is too much room for variation in the draft. There is no harmonization, and the problem is that the regulation has brought out a lot of the disagreements—the flexibility of the regulation is why we’re at a stalemate.”

So what’s going to happen?

In the last few weeks, McDougall has observed the potential for passage of the draft regulation has gone from a 50-50 chance to a 60-40 chance in favor of legislation. The no camp features “big egos” and it’s getting “personal and petty,” he noted. “On the flipside, the yes camp, there is common will and the recent NSA revelations have many within Europe pushing for something. There has been a drumbeat in the last couple weeks that getting something done is better than nothing.”

And the clock is ticking.

May 22 happens to be the feast day of St. Rita, the patron saint of impossible causes, McDougall cheekily pointed out. And, coincidentally, May 22, also happens to be the day of the next European elections. It’s an important date. New MEPs will be elected, and new members will comprise the relevant committees charged with guiding the regulation through passage. “If nothing gets done before that date, the regulation would take a mighty step back,” said McDougall. “So there is a political imperative to get something in place.”

Ruth Boardman, Partner, Bird & Bird; Billy Hawkes, Irish DPA; Michael Spadea, Promontory; Simon McDougall, CIPP/E, Promontory

“I think Simon has set out predictions for the regulation very well,” said Commissioner Hawkes. “It’s hard to say if it will get out by next May and very messy compromises would be involved.”

Hawkes reminded the audience that a second legislative bill—the law enforcement directive —is simultaneously making its way through the EU. Some warn there will be no regulation if this law enforcement directive isn’t passed as well, he said.

“If there is a late-night deal” on the regulation, Hawkes added, “it could transform the regulation into a directive.”

Which, in a sense, brings the EU back to square one—at least with harmonization. One of the main arguments in favor of passage of the regulation is that it would create one single EU law instead of the nearly 30 separate laws that companies operating in Europe now need to navigate.

What should we expect with a potential regulation?

Looking for more information on data protection reform in the EU? Check out Close-Up: EU Data Protection Reform in the IAPP Resource Center for links to the directive, proposed regulation and related documents as well as analysis, opinions and guidance.

McDougall highlighted what will likely remain in the bill. Penalties have remained “relatively unscathed during the process,” he noted. There should still be a strict regime in place, as well as a breach notification requirement. There will be something around data access requests and data deletion. “Most people in Europe are obsessed with Facebook,” so watch out for that, he noted. There will also be something on profiling, privacy impact assessments and other tools to promote good practice around privacy and data protection.

McDougall said two things could happen with the regulation. A last-minute compromise could produce something that, in the end, could “be a pretty badly written regulation” where “we’ll be sitting there frowning at this.” Or, McDougall said, time could just run out. It would be like a “bunch of drunk guys in a bar arguing and suddenly the bar is closed.”

What’s still unclear?

“With consent, it’s difficult to tell if there’s any momentum one way or another.” The definition of what comprises a legitimate business interest remains dodgy as well. It’s also difficult to tell if there will be a provision on proportionality and risk management, McDougall said. And perhaps, for Americans doing business in the EU at least, the future of Safe Harbor “is still up for grabs,” he warned. 

And what about other specific provisions?

The panel, which included Bird & Bird Partner Ruth Boardman, answered some of the specifics.

Issues such as how employment data is handled—specifically in Article 82—will remain “and will allow member states to have the flexibility because of the cultural differences within the EU,” Boardman said.

Hawkes agreed. With employment and health data, the cultural differences are just too great.

Regarding enforcement and monetary penalties of up to one percent of revenue, Hawkes said “there is a determination that willful failure to respect rights should attract harsh penalties … I don’t think that means you’ll find the max penalty.”

Boardman agreed, saying “if we do end up with bigger penalties” it could affect a fundamental relationship with regulators.

One attendee asked how the “right to be forgotten” can be balanced with the need to maintain business processes like fraud prevention. Hawkes said there “will be a recognition of cases where there is a legitimate reason such as fraud prevention,” but businesses should have a data retention policy in place under the current directive anyway.

McDougall added there will likely be more prescriptive regulation around data deletion and retention. Plus, Hawkes said, “once you have the data, you must deal with access requests.” And don’t forget about data breaches. “The longer you hold on to it, the more likely it will be breached,” he said.

When asked how data protection authorities will handle increased responsibility with a potential regulation with limited revenue, Hawkes sagely pointed out, “People in public services are used to lamenting their lack of resources and getting on with their jobs.”

Read more by Jedidiah Bracy:
Data Brokers, Universities Breached; Was Nurse Fired for Privacy Breach or Whistleblowing?
White House Names NSA Review Panel
Organization-Wide Privacy Training Implemented at Bloomberg
A Roundup of Obama's Surveillance Changes