Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Future-Proofing Privacy: A Guide to Preparing for the EU Data Protection Regulation

02299 EU Data Protection Regulation Blog Image 02TE1It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months.

Influenced by overwhelming technological advances and the Snowden revelations, the resulting EU Data Protection Regulation is set to introduce new accountability obligations, stronger rights and ongoing restrictions on international data flows. Overall, the new framework will be ambitious, complex and strict.

Businesses operating in Europe or targeting European customers need to get their act together and start preparing for the new regime. At stake are not only the consequences of non-compliance, but also the ability to take advantage of new technologies, data analytics and the immense value of personal information. From determining when European law applies to devising a workable cooperation strategy with national regulators, there are many intricate novelties to understand and address.

Our guide “Future-proofing privacy” aims to be a useful starting point. 24 authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the forthcoming framework with a practical mindset, providing concrete suggestions for actions to take now.

Our team’s close involvement in the development of this framework has given us the opportunity to point out where the challenges lie and, more importantly, how to deal with them in a responsible and effective way. We are immensely grateful to the entire European team of our leading Privacy and Information Management practice – with a special mention to editors Eduardo Ustaran and Mac Macmillan – we hope that this guide is helpful in ensuring that privacy practices can contribute to prosperity and innovation.

Future-proofing privacy” is published on this blog as an 11-part series spanning June 16 through June 30. Readers interested in accessing the full guide, can do so here. Part 1 below sets the stage for EU data protection reform and summarizes the progress made so far.

Part 1: Data Protection Reform: The story until now

The European Union (the “EU”) has long been a trail blazer for data protection. When it passed Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Data Protection Directive”), it created what has often been described as a gold standard for data protection.

Although the authors of the Data Protection Directive consciously drafted a technology-neutral instrument, the publication in January 2012 by the European Commission (the “Commission”) of a draft proposal (the “Commission draft”) for a General Data Protection Regulation (the “Regulation”) confirmed the need for a wholesale reform. Following the numerous amendments to the Commission draft proposed by the European Parliament (the “Parliament”) in 2014, it was left to the Council of the EU (the “Council”) – which shares legislative powers with the Parliament – to put its proposal on the table.

We are now at the stage where three parties need to reach agreement on the draft Regulation before it can become law: the Commission, the Parliament, and the Council. This is done through a negotiation process known as the trialogue. During the trialogue the draft of the Regulation approved by the Parliament (the “Parliament draft”) and the one agreed within the Council (the “Council draft”) will be thoroughly debated and following a degree of compromise by all involved, a final version of the Regulation will eventually emerge.

Once the Regulation is formally adopted by the Parliament and the Council, there will be a two year transition period before it becomes enforceable by data protection authorities (“DPAs”), but given the number of potential stakeholders in large organisations, and the lead times on IT projects, this may come to seem like not long at all. One thing is certain: all parties involved are committed to creating a robust framework that will become a focal point of reference for global privacy and data protection compliance, so now is a good time to start planning!

This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.