EU data protection reform

EUDataProtectionReformThe EU regulatory framework for protection of personal data is undergoing major reform in order to tackle persisting differences between national data protection regimes across the EU. Additional objectives of the reform include strengthening data protection in line with its status as a fundamental right in the EU constitutional order, increasing public trust in online services, and minimising data controllers’ compliance burdens. As part of this reform the European Commission issued a proposal in  2012 for a General Data Protection Regulation (GDPR) which is to replace the current Data Protection Directive (Directive 95/46/EC).

A very interesting review of the issues and challenges to this reform is provided by L.A. Bygrave (University of Oslo) in the recent deliverable “D5.2 A Roadmap for IoT/Cloud/Distributed Sensor Net Privacy Mechanisms” from the Network of Excellence in Internet Science (FP7-288021) published on 30 November 2014.

As described in the “D5.2 Roadmap”, the GDPR will be more detailed and stringent than the Data Protection Directive (DPD), and with 139 recitals and 91 articles (many comprising multiple clauses), the combined immensity and density of the document risks making comprehension of it extremely challenging, even for experts in the field.

Noteworthy enhancements of current rules include:

  • New requirements of ‘data protection by design and by default’—ie an obligation on data controllers to inject data privacy norms into information systems development (art 23; cf DPD art 17);
  • A new obligation on controllers and processors to carry out ex ante ‘data protection impact assessments’ of risky processing operations (art 33);
  • A new obligation on controllers to notify Data Protection Agencies (DPAs) and data subjects of ‘personal data breaches’ (arts 3 –32);
  • Stronger sanctions (art 79);

The proposed regulation also include duties on controllers and processors to document in detail all processing operations under their responsibility (art 28), a general duty of accountability on controllers (art 22) and, in particular cases, duties on controllers and processors to appoint internal ‘data protection officers’ DPOs art 3 .

As is the case with numerous areas of regulatory policy the EU data protection reform  is faced with the dilemma of finding a way to provide sufficient prescriptive guidance without unduly compromising normative flexibility in the face of technological change and uncertainty over the direction of that change.

It will take considerable time before the dust settles around the legislative reform. The process is complex and cumbersome. The European Parliament has endorsed the basic thrust of the Commission’s proposal, albeit with minor exceptions e.g. the Parliament has proposed beefing up the sanctions regime such that fines can reach 5% of a company’s annual worldwide turnover – whereas the Commission has proposed a 2% level). However, the Council of Ministers is still debating its own set of amendments and there are reports of deep splits on central points of the proposal (such as the ‘one-stop shop’ scheme .

To quote Burton, Kuner and Pateraki (2013), ‘The reform is a marathon, not a sprint’. The development of this legislation will undoubtedly see many more twists and turns so, recalling the admonition from Nesta that ‘The coming European Data Protection Regulation is the most important piece of law that no-one has heard of‘, lets add monitoring of the progress of this legislation to our list of new year resolutions for 2015!

3 thoughts on “EU data protection reform”

  1. On June 15th 2015 the EU data protection reform took a step forward on the long negotiating road towards the establishment of new EU regulation. After more than 3 years of negotiations the Council of the European Union finally found a compromise on the text. The agreement will lead to a “trilogue” beginning next week between the European Commission (EC), the European parliament and the Council of the European Union on each of their amendments to the EC’s proposal.

    How tough the new laws and regulation becomes will be up for debate. The idea of a single data regulator – a one-stop-shop – for large issues has been popular in theory. What form that would take will be crucial for companies such as Facebook and Google operating in Europe.

    Under scrutiny are proposals regarding: unambiguous consent for any data collection, such as tracking for adverts; limits to the ability to use data for purposes other than those for which it was collected, such as profiling; and a strengthened “right to be forgotten”.

    The Council of the European Union has agreed new fines for breaches of EU privacy and data protection law could be up to €1m or 2% of the company’s global annual turnover. The European parliament would have them as high as €100m or 5% of turnover.

    For more details and background see:

Go on, leave us a reply!

This site uses Akismet to reduce spam. Learn how your comment data is processed.