On 25 January, the European Commission presented a proposal to reform the EU’s data protection regime. The proposal consists of a regulation governing private sector use of data that would replace the current Data Protection Directive (Directive 95/46/EC), and a new directive that would further regulate the processing of personal data in relation to law enforcement and judicial activities.
The commission’s proposal - and the regulation in particular - represents a sweeping attempt to expand the scope of the current European data protection rulebook. Not surprisingly, the draft has already drawn the attention of industry in and outside Europe. Among other measures, the proposed regulation introduces a range of new rights for European data subjects such as a ‘right to be forgotten’ and a right to export data from one online service and into another. The proposal also imposes new obligations on those handling personal data, including obligations to design products and services with privacy in mind, to appoint data protection officers and to generally be responsible with regard to the data in their stewardship.
In a move transparently aimed at US-based technology and social networking companies, the new regulation extends the reach of European data protection rules to regulate the activities of companies established entirely outside the EU if they process the data of EU citizens, and attempt to monitor their behaviour or sell them goods or services. And equally significant, the regulation empowers national data protection authorities - and actually requires them - to levy fines of up to 2% of annual worldwide turnover on businesses that fail to comply with key elements of the new regime.
Perhaps the most significant potential change would be the high level of harmonisation promised by the reform. If adopted, the regulation could significantly ease today’s fractured patchwork of 27 national data protection laws that companies must currently navigate in Europe, replacing it with a single law that would subject companies operating across Europe to a single supervisory authority. This is ultimately the bargain that EU Commissioner Viviane Reding is offering to industry: a more stringent and extensive law, but only one law (and not 27).
Whether the commissioner’s bargain survives the legislative process remains to be seen, however. In the next stage, the commission’s proposal will be reviewed by the European Council and European Parliament. This step will be crucial for pro-industry interests as they seek to solidify the benefits of the draft regulation, but it may also prove unexpectedly risky.
Although the political dynamic in both the council and parliament are complex and difficult to predict, we can expect certain patterns to repeat themselves. As it has in the past, for example, Germany is likely to push a robust pro-privacy position (echoing the parliament’s position in many ways). In contrast, expectations are that the UK may - as it has in the past - lobby for rules that do not unduly burden British businesses and their foreign (that is, American) counterparts.
The council as a whole may also view some of the key elements of the commission’s proposal with suspicion. One of the most controversial aspects of the draft regulation - and one that may prove a sticking point in negotiations in the council - would empower the commission to adopt a wide range of secondary legislation, in the form of ‘delegated’ and ‘implementing’ acts.
It is perhaps unsurprising that the commission would suggest delegating further powers to itself, but the sheer number of such provisions - there are over 30 of them in the draft regulation as it now stands - could trigger a drip-feed of new bureaucratic standards and compliance procedures that could continue for many years after the regulation itself is adopted. While a steady stream of new data protection requirements would be a boon for data protection lawyers, businesses may find that commissioner Reding’s promise - for a unified data protection law for Europe and simplified compliance - vanishes under the weight of an ever-growing stack of unmanageably complex new commission-designed rules.
The council is likely to see the unprecedented scope and number of the legislative powers delegated to the commission by the draft as a continuing encroachment by the commission upon lobby issues best left to the sovereignty of the member states. For this reason, the council could decide to trim the number of provisions delegating power to the commission during the review. This revision would be welcome news for companies, as it could help to avert the ‘drip-feed’ scenario envisaged above and preserve the main upside of the regulation as promised by Commissioner Reding.
On the other hand, the council might go further and push for a root-and-branch revision of the regulation, suppressing its most positive effects for industry. Member states will not be enthusiastic about giving new legislative powers to the commission, and may prefer a directive over a regulation because it would allow them to amend their own national laws, instead of having to replace them. This could leave businesses facing a grim possibility, as a continuing patchwork of 27 national data protection laws changes under a new directive to become stricter and more extensive, but not significantly more harmonised.
If the council does move in this direction, its attempts will likely be challenged by the European Parliament, which is usually keen to preserve the elements of commission proposals that reinforce the use of community instruments. While the ultimate outcome of these negotiations is not clear, what is clear is that the current draft raises difficult and controversial issues, and will be subject to intense debate in the council and in the parliament - and that each institution may push in opposite directions. There are real risks that the benefits promised to industry by commissioner Reding could be lost between the gears of the European institutions if industry does not engage carefully and wisely in the legislative process over the coming months.
Jean de Ruyt was, until recently, the permanent representative of Belgium to the EU. He is now a senior policy adviser in Covington & Burling’s Brussels office and advises industry on how to navigate the European institutions. Lisa Peets is a partner who chairs the firm’s European Government Affairs practice