Where Things Stand Now
The Draft EU Data Protection Package: A history of the EU’s privacy reform effort and a look forward to the finish line
By Nóra Ní Loideain
Reforming the outdated EU legislative framework governing data protection was always going to be a daunting task.
The conditions and requirements of the 1995 principal EU Data Protection Directive (95/46/EC) have harmonized standards in the transparency and accountability of domestic laws regulating the protection of personal data by the public and private sectors across Europe since the directive came into effect.
However, as highlighted by the European Commission in its Impact Assessment of the current framework in 2012, “rapid technological and business developments” have occurred in the interim, particularly the ubiquitous use of Internet-based and mobile communication devices and the dramatic advances, in addition to the significantly lower costs, involved in the processing of personal data.
While the established objectives and principles of EU law remain sound, this has not prevented fragmented implementation of the current data protection framework across the EU.
This lack of harmonization raises concerns of legal uncertainty and a widespread public perception that there are significant privacy risks associated with online activity. These issues serve to undermine consumer confidence, threaten the expansion of online markets and services and infringe the fundamental right of all EU citizens to the protection of personal data, as guaranteed under EU law.
The Proposed Data Protection reforms (both the regulation and directive concerning police and judicial cooperation in criminal matters) were developed to address these issues. According to the European Commission, the policy objectives underlying the DP reform package reflect the need to build:
[A] stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.
The subsequent policy process has gradually engrossed the attention of policy-makers and stakeholders from the private and public sectors since the publication of the proposed Data Protection Reforms by the commission in January 2012.
Leading legal expert Christopher Kuner, author of recent OUP publication Transborder Data Flows and Data Privacy Law, aptly describes the pending major reforms as a “Copernican Revolution” in EU data protection law that represent a shift in focus “from paper-based, bureaucratic requirements and toward compliance in practice, harmonization of the law and individual empowerment.”
Since 2012, four EU presidencies—Denmark, Cyprus, Ireland and now Lithuania—have been responsible for advancing the EU data protection reform project. Based on the updated timeline from the meeting of the EU Council (24/25 October) for the enactment of the regulation “by 2015,” the Greek Presidency—and possibly even the Italian Presidency from July 2014—is likely to be steering the final stages of this process.
Developments in 2013
From 2012, the initial pace toward reform was slow but picked up considerable momentum in 2013. Any reference to the DP reforms was notably absent from the Danish Presidency’s Programme of policy priorities. In contrast, the Cypriot Presidency was unequivocal in expressing its commitment to “work actively” to “advance negotiations of the data protection reform.”
The Irish Presidency had the unenviable task of moving from the negotiation stage to seeking agreement on specific provisions of the data protection reform project in January 2013. EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding subsequently commended Ireland for its work. Following 25 high-level expert meetings and reaching agreement on four out of 11 chapters of the proposed regulation, Commissioner Reding described this “data protection sprint” as “a remarkable achievement”—the exhausting pace of which allegedly resulted in EU diplomats having to sleep in tents.
Throughout the Irish Presidency and the current Lithuanian Presidency, Parliament reviewed the commission’s proposals and returned with amendments—many amendments. By the time all the different committees in Parliament had voted on the proposed reforms, more than 3,000 amendments needed review. After a somewhat understandable number of delays, a majority of the LIBE (Civil Liberties, Justice and Home Affairs) Committee backed an amended draft of the commission’s DP proposals on 22 October.
Several major substantive recommendations have been proposed under the DP regulation. The most groundbreaking changes include the ‘One-Stop Shop’ system; major sanctions for breaches, and the establishment of data protection officers once the personal data of more than a specified number of data subjects is being processed annually by an organization. An in-depth analysis of the LIBE amendments to these proposals can be found in this free web conference moderated by IAPP VP of Research and Education Omer Tene and in Christopher Wolf’s analysis of the impact on Safe Harbor.
Complicating matters, near the end of the Irish Presidency, whistleblower Edward Snowden revealed to leading news publications in the UK and U.S. (The Guardian and The Washington Post) details of FBI and NSA programs involving the surveillance of communications data—otherwise referred to in the U.S. as “metadata”—and content of citizens’ communications both within and outside of the U.S. These (ongoing) revelations have since become well-known worldwide and have played a role in the EU data protection reforms.
In response to the Snowden revelations, German Chancellor Angela Merkel highlighted the need for EU member states to adopt more robust data protection laws in order to require Internet service providers operating within the EU to reveal who receives personal data from them. Commissioner Reding subsequently urged the leaders of other member states to follow Chancellor Merkel’s resolute commitment to strengthen the current EU data protection laws.
Reflections and Predictions
Commissioner Reding and the EU Parliament have used the Snowden revelations as a driver for the urgent passing of the draft regulation. Scant attention has been drawn, however, to the draft legal instrument that is more relevant to this issue—the proposed directive on the protection of personal data processed by law enforcement authorities within the EU.
It is unlikely, however, that this policy situation will change. The future of the proposed Data Protection Regulation is the focus of legislators and stakeholders both within and outside of the EU.
Two main factors underpin this prioritization.
Logistically, finalizing the provisions of the regulation requires a significant amount of negotiation and agreement time between the EU institutions and member states. Secondly, several member states have only just implemented the 2008 Council Framework Decision regulating the protection of personal data processed by law enforcement authorities (2008/977/JHA). Therefore, EU principles of Better Regulation require that the impact of this instrument is assessed before the EU rules governing this area are changed so soon again.
Both the Article 29 Data Protection Working Group (4 December 2013) and European Data Protection Supervisor Peter Hustinx have warned (15 November 2013) that the Parliament elections in July are also likely to disrupt the ongoing consultations between the EU institutions as they work towards finalizing a compromise draft for the commission before the end of 2014.
As Hustinx emphasizes, legislators should aim to adopt the data protection proposals swiftly “as a new Parliament may mean examination of the proposals would have to begin afresh.”
Despite the priority in their programme to “continue intensive negotiations seeking substantial progress on the Data Protection package,” the Lithuanian Presidency has indicated no sense of urgency to finalize an agreement between the Parliament and Member States on the Data Protection reforms by the end of 2013.
The next EU Council General Affairs meeting takes place on 17 December 2013—just before the final meeting of the council for 2013—when the draft conclusions from its meeting in October, more specifically the current 2015 deadline for the proposed regulation, will be debated.
It is unlikely, however, that a consensus from member states in response to the proposals by Parliament to the Draft Regulation will be established by this time given the current lack of political impetus from key member states, particularly the UK and Germany, to quickly reach an agreement.
The lack of urgency from the UK appears primarily concerned with the implications that data protection reforms pose for industry. Minister for Justice Chris Grayling, notes that it is better to “take the time … rather than rush into something that proves unworkable and costly.”
In contrast, Chancellor Merkel insists that any delay from Germany is due to ensuring that the future data protection standards of the EU mirror Germany’s high data protection standards.
Whatever the driving factors, there appears to be little political will to quickly advance the current state of the negotiations. For example, the Justice and Home Affairs Council will debate the one-stop shop system this week (5-6 December). UK Home Secretary Theresa May has, however, already suggested that any significant progress on this aspect of the proposed data protection reforms is unlikely:
The justice day will begin with a discussion on the concept of the one-stop-shop mechanism contemplated in the draft Data Protection Regulation. The presidency has indicated its wish to reach a partial general approach on those aspects, though it is possible the council will conclude that this would be premature.
Given all of the above factors, both substantive and procedural, reaching agreement on the reforms before the 2015 deadline set by the council is a possibility. Achieving the same task, however, before the end of the current EU legislature in 2014 seems increasingly unlikely.
Nóra Ní Loideain is a PhD candidate and CHESS scholar at the Faculty of Law in the University of Cambridge. Her doctoral thesis concerns the Data Retention Directive (2006/24/EC), specifically the surveillance by law enforcement authorities of communications data obtained from the private sector and the right to respect for private life in Europe. She has previously worked as a judicial researcher for the Supreme Court and as a legal research officer in the Office of the Director of Public Prosecutions of Ireland. Her main research interests and publications are in the fields of EU law and policy-making; data protection, civil liberties and human rights, particularly under the EU and ECHR systems.