The EU regulatory framework for protection of personal data is undergoing major reform in order to tackle persisting differences between national data protection regimes across the EU. Additional objectives of the reform include strengthening data protection in line with its status as a fundamental right in the EU constitutional order, increasing public trust in online services, and minimising data controllers’ compliance burdens. As part of this reform the European Commission issued a proposal in 2012 for a General Data Protection Regulation (GDPR) which is to replace the current Data Protection Directive (Directive 95/46/EC).
A very interesting review of the issues and challenges to this reform is provided by L.A. Bygrave (University of Oslo) in the recent deliverable “D5.2 A Roadmap for IoT/Cloud/Distributed Sensor Net Privacy Mechanisms” from the Network of Excellence in Internet Science (FP7-288021) published on 30 November 2014.
As described in the “D5.2 Roadmap”, the GDPR will be more detailed and stringent than the Data Protection Directive (DPD), and with 139 recitals and 91 articles (many comprising multiple clauses), the combined immensity and density of the document risks making comprehension of it extremely challenging, even for experts in the field.
Noteworthy enhancements of current rules include:
- New requirements of ‘data protection by design and by default’—ie an obligation on data controllers to inject data privacy norms into information systems development (art 23; cf DPD art 17);
- A new obligation on controllers and processors to carry out ex ante ‘data protection impact assessments’ of risky processing operations (art 33);
- A new obligation on controllers to notify Data Protection Agencies (DPAs) and data subjects of ‘personal data breaches’ (arts 3 –32);
- Stronger sanctions (art 79);
The proposed regulation also include duties on controllers and processors to document in detail all processing operations under their responsibility (art 28), a general duty of accountability on controllers (art 22) and, in particular cases, duties on controllers and processors to appoint internal ‘data protection officers’ DPOs art 3 .
As is the case with numerous areas of regulatory policy the EU data protection reform is faced with the dilemma of finding a way to provide sufficient prescriptive guidance without unduly compromising normative flexibility in the face of technological change and uncertainty over the direction of that change.
It will take considerable time before the dust settles around the legislative reform. The process is complex and cumbersome. The European Parliament has endorsed the basic thrust of the Commission’s proposal, albeit with minor exceptions e.g. the Parliament has proposed beefing up the sanctions regime such that fines can reach 5% of a company’s annual worldwide turnover – whereas the Commission has proposed a 2% level). However, the Council of Ministers is still debating its own set of amendments and there are reports of deep splits on central points of the proposal (such as the ‘one-stop shop’ scheme .
To quote Burton, Kuner and Pateraki (2013), ‘The reform is a marathon, not a sprint’. The development of this legislation will undoubtedly see many more twists and turns so, recalling the admonition from Nesta that ‘The coming European Data Protection Regulation is the most important piece of law that no-one has heard of‘, lets add monitoring of the progress of this legislation to our list of new year resolutions for 2015!