EU General Data Protection Regulation: Stalled Until 2015?
It was on again, off again at the European Union (EU) for the proposed General Data Protection Regulation (Regulation) in October, as the legislation took a step forward in a key Parliament committee but seemingly stalled in the EU Council (Council). The path forward in the immediate future for the Regulation is unclear, with some parties suggesting adoption of the Regulation may now be delayed until 2015.
Progress at the European Parliament
The proposed Regulation, which was originally released by the European Commission on January 25, 2012, must be approved in an identical form both by the European Parliament, a directly elected body, and by the Council, which is made up of government ministers from the various EU national administrations, before it can become law. The Parliament's Civil Liberties, Justice, and Home Affairs Committee (LIBE committee), energized by the recent disclosures regarding mass electronic surveillance activities allegedly engaged in by the United States, voted on October 21 to approve a compromise draft of the Regulation containing several important revisions from the original version.
Among the notable changes, the revised draft approved by the LIBE committee would:
- Reinsert a provision excised from an earlier draft that would require a company to seek permission from an EU data protection authority and inform the affected person before complying with a non-EU country governmental request to disclose personal data processed in the EU (the so-called “anti-FISA” clause);
- Increase the possible maximum fine for companies to €100 million or 5% of annual worldwide revenue (an increase from the original proposal of €1 million or 2% of annual revenue);
- Revise and reframe the previously proposed “right to be forgotten” as a “right to erasure;”
- Merge the right to “data portability” with the right to “data access” and clarify that electronically processed data should be provided to data subjects on request “in an electronic and interoperable format” to facilitate moving data between service providers;
- Revise the “one-stop-shop” mechanism to require that lead data protection authorities for companies operating in multiple EU states act only after consultation with all other “competent” authorities, and to allow individuals whose data is processed in another member state to complain to the data protection authority of their choice; and,
- Provide a regulatory framework that would allow some pseudonymous profiling without individual consent.
Although typically the committee's draft would next go to the full Parliament for approval before being sent to the Council for review, key Parliament and European Commission officials have expressed a desire to see the Regulation finalized and approved in advance of the May 2014 Parliamentary elections. Failure to approve the regulation by then could delay the overall process, as new Parliamentarians might wish to put their own mark on the draft Regulation. Accordingly, the LIBE committee also approved a mandate to move directly to “trilogue” negotiations with the Council, in the hopes of reaching a mutually agreeable compromise that could be approved by both bodies on a First Reading in the Spring.
The Council Hits the Brakes
Unlike Parliament, the Council does not seem to be moving with a sense of urgency, and debate continues regarding fundamental aspects of the regulation. For example, while the Council's Justice and Home Affairs Committee (JHA) agreed in principle to the Regulation's “one-stop-shop” mechanism—a key innovation that would allow businesses operating in multiple EU countries to register with and be regulated only by a single data protection authority—reports from JHA's October 7, 2013, meeting suggest there remain significantly divergent views as to how the mechanism should be implemented and how much authority local regulators in each country should be expected to cede. The Committee agreed during that meeting that further “expert work” should continue to determine an appropriate model for the balance of powers between the “main establishment” supervisory authority of a company and the supervisory authority with the greatest proximity to a particular individual.
The momentum the proposed Regulation had built up out of the LIBE committee seemed to evaporate at the October 24-25, 2013 summit of EU heads of state. At the summit, the United Kingdom and Germany each supported delaying adoption of the law, but for different reasons. The UK reportedly expressed concern about the economic impacts of the new rules on small companies. Whereas, according to German Chancellor Angela Merkel, Germany—with relatively strong existing privacy laws—wanted to avoid moving too quickly to ensure that its citizens' existing rights are protected. Ultimately, the conclusions adopted by the summit were vague as to the timing for adoption of the Regulation, stating only that “timely” adoption of the regulation “is essential for the completion of the Digital Single Market by 2015.” This statement has been interpreted by some as suggesting that the Council does not intend to open trilogue negotiations with the Parliament's LIBE committee at this time, and may not again begin working in earnest on the proposed Regulation until late 2014 or early 2015.
The Future Is Unclear
Despite the tepid reception the Regulation received at Council, other EU officials continue to keep pressure on this issue. The Parliament's LIBE committee already has held or scheduled nine public hearings on Electronic Mass Surveillance of EU Citizens. European Commissioner for Justice Viviane Reding recently visited the United States calling for strong data protection rules. And German officials reportedly considered pushing for data protection issues to be included in a future U.S.-EU trade agreement, a proposal that the European Commission has warned could impede progress in the ongoing trade negotiations.
Nonetheless, with the cryptic statements coming out of the Council, the prospects for the quick passage of the Regulation in the short term are uncertain. The European Parliament is scheduled to take a vote on the Regulation in April 2014. Should the LIBE committee and the Council reach a compromise proposal through direct negotiations before then—a “First Reading Agreement”—the Parliament would vote on that draft. Should there be no First Reading Agreement by the April Plenary, the Parliament will vote instead on the compromise draft approved by the LIBE committee. If the LIBE committee draft is approved by Parliament at First Reading, that draft would be transmitted to the Council and would form the basis for its continued work on the law.