December 5, 2013
Many organizations will have been relieved to find that the implementation of the update to existing European data privacy laws, the EU Data Protection Regulation, has been postponed. Adoption of the Regulation is now scheduled for 2015, which means it’ll be 2017 (possibly end of) before it’s actually applicable.
At least, that’s what it looks like. In typical fashion, the official document released after the European Council meeting in Brussels on Oct 25th is the result of much political horse-trading, and avoids specificity on any matters where agreement is lacking. As a result, one has to rely on a variety of third party sources in order to piece the story together. In a nutshell, a number of countries felt that the process for finalizing the EU Data Protection Regulation should be slowed down. The UK and Germany in particular argued that further consideration was required, albeit not for the same reasons: on the British side, concerns were more on the potential adverse impact on business of very stringent rules, whereas Germany wants to ensure that all required safeguards are in place.
Those who are rejoicing over the postponement shouldn’t pop the champagne corks yet, though. While the extra time is no doubt welcome, headlines such as “Victory for tech giants on EU data laws” are premature: nothing is finalized, and there is still the chance that the final version is rather more restrictive than many would hope.
And that chance is real. A few days before the postponement, the European Parliament’s Civil Liberties Committee (LIBE) voted on the latest version of the proposed Regulation. If all had gone to plan, that version would have been taken into the so-called ‘trialogue’ – behind-the-scenes discussions between LIBE, the European Council and the European Commission. Following the trialogue – and of course assuming that agreement was reached – the Regulation was to be voted upon by the European Parliament in Q1 2014. Why Q1? Because of the European Parliament elections in May 2014.
While that version has been kicked into the long grass for now, it’s important to note that it contains a number of provisions that had previously been rejected in their original form as being too restrictive or simply not feasible to implement. Whether it’s camomile tea or something stronger that calms your nerves, you might need it once you’ve digested the potential implications of the revisions LIBE included. Of particular note are the following:
- Data transfer to non-EU countries: in response to “mass surveillance activities”, strict procedures would need to be followed, including authorization from the national data protection authority.
- Sanctions: proposed fines were increased to EUR 100 million or 5% of annual worldwide turnover.
- Right to erasure: this once again contains a proposal that when a request to erase data (e.g. a personal profile with a social network) is received, the data controller should forward the request to others who might have replicated the data.
- Explicit consent: Really must be explicit, and it wouldn’t be permissible to make, for example, provision of a service conditional upon provision of data other than that strictly necessary for the delivery of that service. Also, withdrawing consent must be as easy as giving it.
- Profiling: Only permissible with consent, regardless of purpose, unless “provided by law or when needed to pursue a contract”. Profiling also should not lead to discrimination, or be based purely on automated processing. Anybody should have the right to object.
Clearly, much can change yet, and most likely will. And as the differences of opinion between European leaders at the October summit demonstrated, consensus is a long way away. The best one can hope for is that all those involved use the extra time to think very thoroughly about the potential consequences and implications of each and every clause for citizens and businesses.