January 28, 2016 marks the 10th anniversary of the European Data Protection Day, on which EU institutions draw the public’s attention to privacy issues and the regulatory initiatives intended to address them. The European Commission has undeniably made significant efforts to improve the European framework for data protection, which needed an update. However, many challenges loom ahead and there is still plenty of uncertainty around the outcome of the reforms.
Replacing the Safe Harbor agreement with the US will be difficult due to conflicting interests
The European Commission must be given credit for putting considerable effort into improving data protection rules in recent years. It is unsurprising that it chose to celebrate Data Protection Day by reminding the public that one year before it committed to reaching an agreement on the new Data Protection Regulation and that it delivered on the promise during 2015. The current rules certainly need an update, being unfit for the digital age we live in. However, the EC may have to leave the champagne on ice for now, for at least three reasons.
First, the new reform still needs one final formal approval from the whole parliament; although this should be a formality, it is still a key condition for completing the process. Second, the practical impact of these reforms is still unknown; the rules will only apply as of 2018 and at that point the initial proposal will be six years old. Technology developments could make some of the new rules outdated even in the moment they come into force – particularly given that IoT services will become more widespread and the sharing of personal data will be even further out of users’ control.
Third, and probably the most important point, as the EC itself notes in today’s statement, the framework for transfer of personal data outside the EU remains a key challenge. In particular, the current efforts to replace the Safe Harbor agreement will play a significant role in shaping digital industries, because the flow of personal data to the US (the home of many prominent tech and media companies) is a crucial part of tech companies’ business models. There remains a conflict between diverging interests and US legislators have a tendency to seek a strong level of control over the personal data of foreign citizens in order to tackle crime. These factors could hamper the adoption of a coherent set of rules to safeguard EU citizens’ rights while ensuring that businesses do not face an unsustainable regulatory burden. Negotiations on a new agreement are currently underway, although nothing yet suggests that a meaningful outcome is within reach.
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
“The EU’s new GDPR is a necessary step, but its practical implementation will be problematic,” TE0007-000966 (December 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Luca Schiavoni, Senior Analyst, Regulation