What's happening with the general data protection regulation?

It's over a year since the European Commission published the draft General Data Protection Regulation.  If you want to know what is happening with the draft Regulation and when it might become law, here's our latest view (and happy European Privacy Day to all our readers!):

  • Five committees within the European Parliament (consisting of 736 MEPS) are currently reviewing the proposed data protection reforms.  Each committee (including 'legal', 'civil liberties' and 'industry' committees), will then submit amendments to the proposed reforms.

  • The five committees will come together to negotiate and agree a consolidated set of amendments to the Regulation (this is expected to happen in April 2013).

  • Simultaneously, the Council of the European Union (a council consisting of ministers of each Member State with responsibility for this area) is also considering the Regulation.  During this process, Ministers are informed by relevant departments and bodies within their own Member State (so in the UK, the Ministry of Justice has led the review process including liasing with industry and the ICO in its capacity as the UK regulator for data protection).

  • Whilst the committees of the European Parliament are in advanced stages in considering their 'compromise' amendments, the Council has not yet finished its first round of amendments.

  • Once the European Parliament and the Council have created their consolidated views on the Regulation (the first reading), they will enter into a further phase of negotiation to agree the text of the Regulation (expected in April/May 2013).

  • If the European Parliament and the Council cannot reach agreement, there will be further readings and negotiation phases - if agreement is not reached, a conciliation committee will meet at the end of 2013 to agree the way forward/revised timeframe.

  • There are some fundamental issues which still need to be agreed including whether the new laws should be in the form of a Directive (to provide greater discretion to Member States as to how they implement the laws in their own country, which is the UK preference) or as a Regulation (to limit discretion and ensure greater harmonisation of data protection laws across the EU) so, lots to do and agreement in principle by June 2013 looks unlikely to us.

  • In the ICO's latest update on the timeframe for the Regulation, the Deputy Commissioner states that 'the timetable is ambitious...[and] not many people expect agreement in June this year'.  He goes on to suggest that there is an imperative for the new laws to be agreed by 2014.

  • Once the Regulation does become law there will be a two year grace period for organisations to comply with the new laws - if the Regulation takes effect in anything like its current form, we believe that organisations will need all of this time to consider the impact of the new laws on their organisation and to change their processes and policies accordingly.

So, we still don't have total clarity as to when the Regulation will be agreed and when it will become law but we will keep you posted with any further developments.  In the meantime, happy European Privacy Day!

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.