Data protection reform nears conclusion
Quite a number of initiatives announced under the Digital Single Market strategy rest upon the successful conclusion of negotiations on data protection reform, including the proposed General Data Protection Regulation (GDPR) and the Data Protection Directive on processing of data by law enforcement agencies.
A proposed review of the e-Privacy Directive is to remain under starter’s orders until the two legislative proposals are concluded, and likewise mooted proposals on data flows, data ownership, and the cloud are likely to be held back if negotiators fail to reach agreement by December.
If Parliament and Council negotiators are to be believed, the signs are positive for the successful conclusion of talks on data protection reform. Negotiations have begun between the Parliament and Council on the Data Protection Directive, and the Luxembourg Presidency is confident that agreement can be reached before the end of year.
For the GDPR, in a recent update delivered to the Civil Liberties Committee, Parliament Rapporteur Jan Philipp Albrecht (Greens/EFA, DE) estimated that agreement had been reached on “70-80 per cent” of the Chapters of the Regulation discussed so far in trilogue, with a general mood of positivity in negotiations.
Both Mr Albrecht and the Luxembourg Presidency have stood firm in their belief that agreement will be reached by December 2015, but major hurdles are only just being traversed.
Some of the most controversial aspects of the GDPR – on which the positions of the Council and Parliament are furthest apart – have been discussed this month, including the role of data protection authorities and the “one-stop-shop” principles (Chapter VI), co-operation (Chapter VII), and remedies, liability and sanctions (Chapter VIII). All include issues on which the Parliament and Council strongly disagree, including the appointment of data protection officers and the level of sanctions to be imposed on data processors that break the rules, and it is yet to be seen how close the two institutions are to compromise.
Another obstacle to be tackled is the 6 October CJEU decision in the case Max Schrems v. Data Protection Commissioner, in which the court invalidated the US-EU Safe Harbour agreement governing data transfers.
While the EU institutions are still analysing the ramifications of the CJEU decision, it may yet have repercussions for the data protection negotiations. Negotiators are due to return to the issue of Chapter V of the Regulation – on which broad agreement had been reached previously – in trilogues in the coming weeks.
Furthermore, it is unclear what impact the court’s decision will have on the Commission’s as-yet-unreleased “Free flow of data” initiative, which seeks to tackle “unjustified restrictions on the location of data for storage of processing purposes.” With the Commission once more grappling with the issue of transatlantic data flows, it remains to be seen what impact this will have on its approach to European data flows often intrinsically linked to servers located in the US and in other countries.
What does the data say?
Overall, however, the process appears to be on schedule. Nevertheless, the fallout from the Schrems decision, a return to Chapter V, and ongoing talks on some of the more controversial elements of the Regulation opens up the potential for delays, both for talks on data protection reform and for the elements of the DSM strategy resting upon their conclusion. For now, however, the data-related elements of the DSM seem to be on track.
James Sibley leads on the Transport and Technology portfolios for the DeHavilland EU team. James has two years' experience working in Brussels, taking roles at the European Parliament and a public affairs consultancy. He is a graduate of the University of Exeter.