Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications, we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 shows that the Council is still considering multiple options in relation to several critical issues.
On 1 February 2017, the German federal cabinet adopted a draft data protection bill. The planned implementation statute aims to supplement and further define the EU General Data Protection Regulation, which will come into force in 2018. The Chronicle of Data Protection’s summary of the most relevant aspects of the draft bill can be found here. We turn now to a preliminary assessment and explanation of proposed bill, provided by German Data Protection and Freedom of Information Officer Dr. Stefan Brink, European Parliament member Jan Albrecht, and Hogan Lovells partner Tim Wybitul.
The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement. As a sign of support for the deal, the Working Party welcomes the initiative to set up a general data protection framework in relation to law enforcement cooperation. In a fairly positive tone, the Working Party states that the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the US, some of which were concluded before the development of the EU data protection framework.” This statement by the Working Party follows its recent announcement that it had created a working group for enforcement actions on organisations targeting several member states, which is yet another sign of the growing international ambitions of the EU data protection authorities.
Unveiled February 29, 2016, the new EU-U.S. Privacy Shield attempts to address the shortcomings of the Safe Harbor arrangement identified originally by the European Commission and later by the Court of Justice of the European Union in its Schrems decision. The Privacy Shield proposes improved data protection principles, better enforcement by the US Department of Commerce and the Federal Trade Commission, redress mechanisms for EU citizens, and safeguards surrounding law enforcement and intelligence activities. The European Parliament adopted a resolution on May 26, 2016 praising the progress made, but highlighting shortcomings in the Privacy Shield as presented in February 2016. Now that the Irish Data Protection Controller has referred another data transfer mechanism known as Standard Contractual Clauses to the courts for review of their adequacy, greater focus will be placed on whether the criticisms of Privacy Shield are well founded.
Last Friday, the EU Council has adopted its position at first reading on the data protection reform. This prepares the way for the final adoption of the legislative package which includes the General Data Protection Regulation by the European Parliament on 14 April 2016. This formal adoption by the EU Council comes after the compromise agreed with the European Parliament on 15 December 2015.
It’s been a long way and the task is not over yet. However, there is light at the end of the EU data protection reform tunnel. The modernisation of European privacy laws has reached a critical milestone and we can now safely assume that this process will culminate in a radical new framework in a matter of months. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”
All eyes are currently on the Council of the EU to figure out when and in what form we are likely to see a new EU data protection law emerging. The adoption of this law, which has been in the making since the European Commission presented its vision for a modern privacy regime in 2010, will have vital and global implications for the future of our data-driven existence. This explains the cautious progress so far, but the need for a modernised regime is pressing. Six presidencies have so far managed the adoption process within the Council—which together with the European Parliament has legislative responsibility for passing EU laws—and each has made its own contribution to the process. But the Council has been the key focus of attention of the ongoing legislative process since the European Parliament approved its own draft of the EU Data Protection Regulation in early 2014.
Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.
On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation. The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the s0-calle “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May.
Data Protection Day in Europe, 28 January 2014, saw the announcement by EU Justice Commissioner Viviane Reding of a more precise timetable for the adoption of the EU’s data protection reform package, comprising a Regulation governing general data protection and a Directive governing the use of personal data in the area of law enforcement and crime. The Council of the EU will agree upon a formal negotiating mandate by the end of June 2014, with a view to inter-institutional negotiations concluding by the end of 2014.
Jan Albrecht, the rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, released a draft report last month with key proposals to amend the European Commission’s proposed Regulation on data protection. The report includes a total of 350 amendments to the original proposal. Highlights of the 215-page report include the following:
Commissioner Reding says right to be forgotten must be balanced with other rights. European Parliament Committee says regulation should be a minimum, calling for class actions and expanded extra-territoriality.
The network neutrality debate in the U.S. has moved to the appeal courts as the 2010 FCC Order, which becomes effective on Nov. 20, awaits review. Meanwhile, two E.U. developments presage more regulatory steps forward. The result is movement away from the European Commission’s wait-and-see communique announced just last April.