Data Protection Regulation: is the end game finally nigh?

Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning: Winston Churchill

During the past three years or so, I've destroyed a fair amount of (valuable) brain matter trying to work out where the reforms to the EU's data protection laws sat at any one point in Mr Churchill's handy timeline.

It is fair to say that my opinion has varied on almost a daily, if not hourly, basis.

So while the world has got on with creating gargantuan amounts of data, the process of agreeing the new General Data Protection Regulation has seen a succession of ups and downs and, to no-one's surprise, an equally gargantuan amount of legislative amendments. Last time we checked they counted in the thousands.

However, it does seem as though progress is being made.

Finally.

The end is indeed nigh.

So where exactly are we now?

In a trilogue.

If you unaware of what this means—and most people are given that there is no express mention of it in the EU treaties—this is where the Council, Commission and European Parliament lock themselves in a stuffy room to hammer out the final form version of the new General Data Protection Regulation.

No formal minutes are taken, nobody outside the room really knows what is going on in it and, even more surprisingly, people often don't even know where the meetings are taking place (well except for the attendees of course).

It is any wonder that citizens and businesses often complain that they don't always feel engaged with the legislative process?

But that's another story*.

Whatever the rights and wrongs of this process, the upshot of it is that we don't really know how negotiations are proceeding. For all we know, a final form could be announced by the end of the year—which the Commission certainly wants to see—or, on the other hand, we might well be into next year before the ink dries on the press release announcing a new regulation.

All the more reason to always keep a keen eye on developments.

What are the main areas of discord?

In particular, there are ongoing discussions over:

  • the nature of the consent from data subjects to the processing of their data
  • whether it should be mandatory for certain companies to have a data protection officer
  • how the proposed 'one stop shop' would work (ie this is where a regulator in the business' country of main establishment handles data protection cases (and takes the lead) as opposed to, potentially, regulators in various EU countries)
  • what the level of sanctions should be, and
  • when the authorities should be informed of a data breach

Check out the table below for a brief overview of the Council. Commission and European Parliament's respective positions.

[table id=2 /]

What about other types of (non-personal) data?

Although the regulation does not deal with non-personal data, it is noteworthy that this is also starting to fall within the radar of the Commission.

Andrus Ansip, European Commission Vice President who is leading the Digital Single Market Project Team, recently asked this question on his Twitter account:

https://twitter.com/Ansip_EU/status/623090063237345280

Wishful thinking or the first suggestions of a new initiative?

Only time will tell but worth keeping an eye on once the regulation has been agreed.

Is there anything that businesses can do now?

Yes.

Assuming that the new rules are finally adopted, they will bring a high level of compliance obligations, with significant financial, resource (including IT) and administrative costs.

Although implementation of the reforms may seem to be some time ahead, businesses can start preparing now.

This blog post from Cordery sets out (at the end of the post) ten compliance issues for businesses to start considering now. It is well worth a look.

https://twitter.com/CorderyUK/status/619112031728353280

1,274 days after the Commission's initial proposal it is clear that we still have some way to go although, happily, the end game is now in sight.

So what do you think? Are you fed up with hearing about this regulation? Have you started preparing for it? If so, what have you been doing? Do let us know below.

*The European Ombudsman, Emily O'Reilly, has her concerns about trilogues too and has opened an investigation into the transparency of them with a view to 'boosting transparent law-making in the EU'

Area of Interest