The Rocky Road Towards Europe's New Data Protection Laws - Fasten Your Seat Belts!

If you are wondering where the new European data protection regulations are up to, after all the fuss about them over the past year, this is the latest!

Everybody agrees that the current Data Protection Act (and its equivalent legislation across the EU) has got some issues and needs updating (in particular, concerns around the lack of consistency across different countries).  There is a draft General Data Protection Regulation, but it has been hotly debated ever since its initial release- its prescriptive approach and the estimated costs of compliance for organisations and regulators has created wave after wave of criticism and a plea to the Commission to reconsider the general approach (culminating in the UK suggesting that the Commission 'should go back to the drawing board').  So, if everyone agrees that European data protection laws need to change, why is taking so long (and where are the Regulations upto)? 

In the UK, the ICO's view is that whilst it is possible that the new Regulation could be passed in the next 12 months, there is still a huge amount of work to do to get to an agreed position on the Regulation and various fundamental issues and points of detail need to be debated and resolved.  In particular, the ICO has expressed concern with both the size and general approach to fines - the Regulations envisage:

  • Fines of upto 2% of turnover for data protection breaches.
  • A mandatory obligation on the regulator to apply a fine for every breach.
  • An obligation on all organisations to report security breaches on a mandatory basis.

All of which is a long way from the current position where the ICO has discretion to apply a fine (which it often doesn't exercise), where the fines are capped at a maximum of 500k (with the highest to date being £325k) and only certain organisations being under a mandatory obligation to report security breaches.  A key concern of the ICO is that it simply doesn't have the resources or infrastructure to operate on this basis, and that as a point of principle, it doesn't believe that mandatory application of fines will lead to improved compliance with data protection laws or drive appropriate behaviours.

In the EU, there is an increasing sense of frustration regarding the ongoing delay to implementation of the Regulations and a vote will take place on 21 October to try and refocus attention on the Regulation and the importance of getting them finalised quickly (much has been made by the EU Justice Commissioner, Viviane Reding, of the recent issues surrounding Operation Prism and misuse of personal data by government agencies on a global basis as a reason for getting the Regulations into place quickly).  In the same week as the vote takes place, EU heads of state and government will attend a summit to discuss Europe's digital economy and the Regulations will no doubt be on their agenda.  So, expect to see increased focus on the Regulations over the next few weeks (now that most of Europe has returned from its summer holidays).

The Regulation has been on a rocky road since the first draft was made available and has drawn criticism from virtually every organisation, body or committee that has reviewed and commented on it.  The road doesn't look like its going to get any smoother, but what is clear, is that the European Commission is looking to press down hard on the accelerator to get the Regulations into force across Europe as quickly as possible (and probably in the 12 months), but the ICO remains extremely concerned about rushing the Regulation into law in anything like its current form - all of which may well see the Commission and the UK regulator (with the support of some other privacy regulators and UK businesses) on collision course!

So, fasten your seat belts as the Rocky Road towards the Regulations looks set to continue.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.