On June 15, 2015 the European Commission announced that its proposal for a new Data Protection Regulation had finally reached the stage of “trilogue” negotiations (i.e., negotiations between the EU Council, the Commission, and the Parliament) after justice ministers in the EU Council agreed on a compromise text. This increases the likelihood of the EU institutions approving the regulation by the end of the year. However, a large part of the scope will now be left to national legislation, which could lead to most of the initial objectives of the proposal not being met.
The large number of exceptions is watering down the text and reducing the much-needed consistency
Even as the announcement came that the proposal for the new Data Protection Regulation had moved to the final stage of negotiation, the optimism that this step was supposed to spark was fading away among many stakeholders. The start of the trilogue negotiations should be welcome after more than three years of work on and amendments to the EC’s initial proposal, yet the details show that the members of the EU council have “agreed to disagree” on key parts of the regulation instead of reaching meaningful and functioning compromises.
Exceptions have been accepted on more than one-third of the articles of the proposals, meaning that the relevant aspects will be regulated by individual national legislation. In practice, the regulation (which is supposed to be valid for all EU states without needing national legislators to transpose it) is being turned into a de facto directive. In fact, the situation may be even worse, given that the EC has a process in place to ensure that directives are transposed in a correct and timely fashion, whereas a regulation is supposed to be valid for all EU countries once it has been passed.
Crucially, the issue is not only one of quantity. It is now proposed that national legislators will be able to rule on key aspects of the rules, including the definition of “data controller” and the rights of the data subject stated in the Articles 12–20 of the proposal. As things stand the regulation is going to benefit neither consumers nor businesses because it removes most of the consistency that the initial proposal aimed to achieve. It also contains loopholes that make many of the stated rights of the data subject no more than empty promises.
Although it is now more realistic that the regulation will be passed by the end of 2015, there are huge questions as to the actual impact of a framework that is both more confusing and potentially less effective than the outdated rules it is meant to replace.
Data Protection Tracker: 1Q15, TE0007-000867 (January 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Luca Schiavoni, Senior Analyst, Regulation