The EU Regulation – approaching the home straight?

By David Smith, Deputy Commissioner and Director of Data Protection.

EU-reforms-blog-1

As Brussels takes its summer holidays (we soldier on here at the ICO!), it’s an opportune time to again take stock of what still needs to be done before we see the EU’s data protection reforms in place. Back in February, I said we’re not even in the home straight, let alone close to the finishing line. This blog brings positive news of real progress. There’s still some way to go, but that home straight does seem closer.

The big news is that the Council of the European Union, which is where the governments of members’ states are represented, has agreed its position. We’ve published a commentary on this text, including the areas where we consider that there is the greatest need for improvement as the trilogue progresses. There’s no doubt it includes a certain amount of papering over of cracks between different governments’ views, but the ‘general approach’ agreed in June means, at long last, the Council has its own version of the text of the Regulation to bring to the negotiating table.

This negotiating table, you may remember, is known as the trilogue or, more correctly, a series of trilogues. Technically it’s not a formal part of the decision making process, so there’s no rule book that it follows, but it’s where representatives of the Council, the European Parliament (which adopted its version of the Regulation back in March 2014) and the European Commission (which put forward the original proposal for a Regulation as long ago as January 2012) come together to thrash out a final text.

Encouragingly, but perhaps not surprisingly, the reports that have emerged of the two trilogue sessions held so far are positive and suggest that there has been a real effort to find a workable compromise between the texts, rather than just looking for the lowest common denominator.

What has also come out of those early sessions is a planned timetable that runs until December. If all goes according to that plan, then we’ll know pretty much what’s going to be in the Regulation by the end of this year.

There’s plenty to discuss before then, of course. Here’s a few areas to look out for:

  • The devil is in the detail. The trilogue is all about compromise, but there’ll be plenty of interest in the specifics of any arrangements. For example, it will be interesting to see, when the detail emerges, whether there really is any consensus around Article 43(a) of the Parliament’s text which, in the post Snowden era, attempts to regulate situations where there is a conflict between, on the one hand, a legal requirement of a non-EU country that requires the disclosure of personal data held in the EU to that country and, on the other hand, EU data protection law which restricts such disclosure.
  • September not April may turn out to be the cruellest month. That’s when it is likely the going will start to get tougher, as the trilogue will be looking at key principles including the extent to which the processing of personal data can be based on a data controller’s ‘legitimate interests’, and how far ‘incompatible processing’ is permissible. There’s been much criticism of the Council’s text in this area, but the Parliament’s text has its problems too, so it would be foolish to try to predict just what will emerge.
  • Times they are a changing. Even without the full detail, it is clear from the early session discussing international transfers that we can expect to see more detailed supervision of these in the UK than we have been used to up to now. We also know there will be compulsory breach notification, both to affected individuals and to data protection authorities, though we don’t know yet whether all breaches or only high risk ones will have to be notified, nor whether notification will have to be within 24 hours, 72 hours or simply “without undue delay”.
  • Simplicity is key. Our input throughout has been to stress the importance of the final text being clear, simple and easy to understand if it is to have the desired effect of improving privacy protection for individuals in practice as well as on paper. Our colleagues at the European Data Protection Supervisor (EDPS) have echoed our pleas in their recent opinion 3/2015 on what they call “Europe’s big opportunity”. They have accompanied this opinion with a side by side comparison of the three proposed texts and what the EDPS would like to see in the final version. Although strictly for students of the process, running to over 500 pages, this is a very useful analysis. We don’t necessarily agree with all the EDPS’s ideas, particularly around the regulation of international transfers, but we commend them for their work and for producing their analysis in the form of an app.

Finally, a word on the proposed Directive on data protection in the law enforcement and justice sectors, which sits alongside the Commission’s general Regulation. The Council is still discussing its position on this, with the aim of having something to take to trilogue in the autumn. The Directive would then enter discussions alongside the Regulation, with the assumption that most of the difficult questions will already have been answered in the context of the negotiations on the Regulation. This might work but there are some big differences between the Parliament’s position and the Council’s position that will need to be overcome so it could end up actually delaying the conclusion of the trilogue. Not least amongst these differences is the question of precisely where the boundary should be drawn between the Regulation and the Directive when applied to the processing of personal data in the field of “public security”.

So there’s much hard work to be done yet but I’m encouraged that what I said back in February still remains true. At the ICO we’re continuing to work in the expectation that by the fourth anniversary of the Commission’s proposals – in January 2016 – we really will be into the home straight – even if reaching the winning post might still require a final push.

Last updated 26/08/2015 12:30

David SmithAs well as providing Data Protection leadership across the ICO, David Smith has direct responsibility for oversight of its Strategic Liaison Division which develops and manages the ICO’s relations with its key stakeholders.
This entry was posted in David Smith and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s