The proposed EU General Data Protection Regulation will be finalized in 2015. That was the conclusion of leading lights of the EU data protection scene at a standing-room-only event in Brussels on Wednesday.
It appears that a tipping point in the negotiations has been reached. The Council of the European Union (the 28 EU member states) needs to finalize its version of the draft regulation before negotiations can enter their final stage, but it has made incremental progress in the last 12 months. Antonio Mura, head of the Department of Justice Affairs at the Italian Ministry of Justice, has now confirmed that the Italian Presidency, which runs until the end of this year, intends to present agreed proposals on the public sector and the regulatory one-stop shop (OSS) at the meeting of the Justice and Home Affairs Council (Council of Ministers) on 5 December. If agreement can be reached on these two areas it will represent a remarkable achievement, as these have been seen as insurmountable obstacles to progress.
Many will recall the dispute a year ago over the OSS, when the legality of the European Commission’s model was challenged by the council’s legal adviser on the grounds that it cut across EU fundamental rights. The presidency proposes a hybrid OSS, where a lead regulator co-operates with regulators local to the where the complainant lives. This may not satisfy the purists, but it may be the only viable compromise.
At the panel discussion on Wednesday, jointly hosted be the German Federal Commission for Data Protection and the European Data Protection Supervisor, Mura reiterated that the regulation is not only an EU single-market issue, stating, “We need the highest affordable standard of fundamental rights,” with reference to Article 8 of the EU Charter of Fundamental Rights, which provides that everyone in the EU has the right to the protection of personal data. This was particularly reflected in the controversial judgment of the European Court of Justice in the right to be forgotten case that specifically referenced this right in concluding that an individual could have a search engine listing removed where the material it linked to was no longer relevant.
This theme was developed by Isabelle Falque-Pierrotin, president of the CNIL, the French Data Protection Authority, and also chair of the Article 29 Working Party. Falque-Pierrotin noted that the right to be forgotten judgment had shown that some of the ideas in the regulation were already being developed through the court, highlighting the urgency to get the regulation agreed to and to demonstrate to the world that Europe had a common standard in place and the regulatory powers to back it up.
MEP and Vice-Chair of the Committee on Civil Liberties, Justice and Home Affairs Jan Philipp Albrecht reflected on the question of quality versus speed, one of the factors that seemed to have delayed this whole negotiation. A note of caution was sounded by Parliamentary State Secretary at the Federal Ministry of the Interior in Germany Dr. Ole Schröder, who said that it was not possible to accelerate discussions unduly on this “gigantic package.” However, Albrecht responded by highlighting the need to get into the final round of discussions, the so-called trilogue that involves the commission, Parliament and the council bringing their own texts to the table with a view to thrashing out a final version between them.
Director of Fundamental Rights and Citizenship at the European Commission Paul Nemitz concurred by hinting somewhat ominously that if Germany in particular could not accept the compromises on the table on public-sector rules and the OSS, then the presidency can ultimately deploy a “qualified majority vote.” This would leave any isolated objectors to particular measures on the sidelines, but obtaining consensus amongst member states was the preferable approach.
Reflecting on my own experience as the former lead negotiator for the UK on the regulation at the DAPIX working group in Brussels, my prediction is that the council will agree on a general approach ahead of a meeting of the European Council, the EU heads of government, on 19 March 2015. This will allow enough time for the European Commission, the council and the Parliament to agree a final product to present to the world by the end of 2015, a much-touted target date.
Following entry into force of the regulation, there will be a two-year implementation phase where all businesses and organizations that handle the personal data of EU residents, regardless of where they are based, will need to put in place measures to be compliant with the new rules. For so long, the new General Data Protection Regulation had appeared to be over the horizon, but now it is finally coming into view.
In the meantime, all eyes will be on the meeting of the Justice and Home Affairs Council on 5 December. If Italy can deliver agreement on specific rules for the public sector, and crucially on the one-stop shop, then a big step will have been taken to finalizing the regulation in 2015. The Italian Presidency has taken the nuanced and pragmatic approach; I think they have every chance of making the breakthrough.
Edit, Nov. 12, 2014: The speaker from the Italian Ministry was not Enrico Costa, Deputy Minister for Justice. It was instead Antonio Mura, Head of the Department of Justice Affairs at the Italian Ministry of Justice. We apologize for the error.