All eyes are currently on the Council of the EU to figure out when and in what form we are likely to see a new EU data protection law emerging. The adoption of this law, which has been in the making since the European Commission presented its vision for a modern privacy regime in 2010, will have vital and global implications for the future of our data-driven existence. This explains the cautious progress so far, but the need for a modernised regime is pressing. Six presidencies have so far managed the adoption process within the Council—which together with the European Parliament has legislative responsibility for passing EU laws—and each has made its own contribution to the process. But the Council has been the key focus of attention of the ongoing legislative process since the European Parliament approved its own draft of the EU Data Protection Regulation in early 2014.
As we enter 2015, Latvia is in charge of closing many open areas. At this stage, we have very little by way of fully agreed positions amongst member states, but there is a fair amount of consensus on key issues like the responsibilities of controllers and processors and the risk-based approach. Other big topics remain undecided—like the controversial one-stop-shop provisions—or indeed entirely unaddressed, such as sanctions and special exemptions. Whilst the difficulty of getting 28 national governments to agree on a piece of legislation which is so politically charged and economically crucial should not be underestimated, the inability to move forward will only cripple Europe’s role in this debate. Therefore, the time for decision-making within the Council is now (read within the next six months) or the whole process risks losing credibility and influence outside Europe.
Once a final agreement is reached within the Council, the most difficult part of the legislative process will commence. This is a three-way negotiation (known as ‘trilogue’) between the Council and the Parliament—as legislative bodies—and the European Commission, which will mediate between the other two and guide the final stages of the process. The Parliament has been patiently waiting and preparing to fight its corner with the Council for the best part of a year. With its elaborate and carefully thought out draft, the Parliament is expected to be very firm in its demands for strong rights and full control by individuals over their own data. Whilst commendable from a public policy perspective, the Parliament’s line will need to survive the test of incessant technological development and data globalisation.
This means that a dose of flexibility in the political thinking of the Parliament will be essential. The fact that the previous work of the Parliament’s LIBE committee was so efficiently handled by Jan Albrecht and his team should be a reason for optimism, but the temptation for tight geographical data protectionism will be strong and could damage the outcome. Here is where some clear direction by the European Commission will be critical. In doing so, the Commission must stay focused on the primary policy objectives of the law—harmonising and future-proofing a framework aimed at protecting the golden eggs of Europe’s and the world’s prosperity.
No doubt, this will require some creativity to devise solutions and approaches that may not provide the highest level of legal certainty at the outset, but that with the right guidance from policy makers and regulators will deliver the right balance between the protection of privacy and economic and societal progress. We must assume that all of this will take time even if concerted efforts are made by all involved. Agreeing on the final version of the new law before the end of 2015 is not impossible, but it will be very challenging as it will require that all factors affecting the process—decisiveness, flexibility and direction—fall into place in a seamless and uninterrupted way. That’s what I call a New Year’s resolution.
The above piece, written by Eduardo Ustaran, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on January 13, 2015. The post, New EU Data Protection Law in 2015? Decisiveness Flexibility and Direction Are the Answer, is reprinted in its entirety with permission from the IAPP.