The prophets and pundits have been out in force lately regarding the continuing saga of EU's attempt to modernize its data protection rules. And over the past year the European Commission has declared the reform to be "sprinting," "moving backwards" and lately moving from "dormant to dynamic." So what is a diligent privacy professional to think, let alone tell any clients or colleagues when they ask the most current question of the privacy profession: What is going on in Brussels?
Look to Berlin, Paris and London, rather than to Brussels
It is worthwhile to remember that while the pomp and circumstance of the EU may well be in Brussels, much power still lies with the member states. A fact that was confirmed once again when the German Minister of the Interior recently presented his road map for how the negotiations on the new data protection regulation should proceed. The German proposal had been awaited by many for the simple fact that what the Germans think is a crucial part of any EU negotiation. So what are the German wishes in regard to the proposed regulation?
First, they propose "opening up" the scope of the regulation to ensure that individual member states can both lower and raise the level of data protection set out in the regulation—but apparently only in regard to the public sector and in regard to the data protection for employees; i.e., HR data in both the private and public sector. Clearly, this would be a blow to the central idea of the proposed regulation; i.e., increased harmonization of data protection across the EU, but not as big a blow as if the regulation was turned into a directive, which would leave an even wider margin to member states. The fact that the proposed regulation for other reasons is still unlikely to bring anything like full harmonization is a matter for another day.
Furthermore, the Germans want to "further strengthen consent as the legal basis for data processing," solve the "one-stop-shop" issue, create better rules regarding transfer of data to third countries and deal with risks associated with big data and profiling. And finally, they want to ensure that freedom of expression is properly protected in light of the recent judgment in the Google Spain case.
In regard to the final point concerning the Google case and the ill-titled "right to be forgotten," the main issue flagged is how search engine operators can be sure of making appropriate decisions that not only protect privacy but also pay sufficient attention to freedom of expression. And while some have demanded that independent arbitration services be established, the German government seems to believe other solutions may be more appropriate.
The timing of this proposed "road map" is of course not accidental. A new Commissioner for Justice and Home Affairs (the relevant member of the EU's "executive") will be taking office soon, and—assuming data protection remains under this purview—the proposed regulation is bound to be as big a priority as under the current commissioner, Ms. Viviane Reding. Now that everyone knows what the Germans want in exchange for helping make the reform a reality, the in-coming Commissioner knows where to—shall we say—focus his or her efforts. How the German wishes are received by both the new Commission and the European Parliament will be crucial for the continued negotiations.
What's holding us up?
This question, of course, presupposes that one believes that some deadline has been missed. And while both the Commission and the European Parliament have—sometimes rather bluntly—asserted that the Member States are somehow opposed to new privacy rules, the reality is a bit more complex.
In order to affirm this fact one needs only peruse the footnotes of one of the many documents leaked from the expert level discussions in the Council.
But doesn't the Commission and the European Parliament care as much about the many complex issues raised by the proposed regulation? Yes and no—but mostly no. The point being that when the Commission proposed to replace the existing EU directive with a regulation; i.e., one law with limited room for national derogations, it in fact proposed to take the issue of privacy almost completely out of the hands of the national governments and place it firmly in the hands of the European Commission and Parliament for future regulation. No longer would member state governments be able to—relatively freely—regulate when and for what purposes personal data is processed in their societies. And, as any privacy professional will know, privacy touches upon almost all aspects of society that are worth caring about and, therefore, regulating.
Add to this fact a growing disenchantment with the whole EU project—made manifest by the euro-skeptic gains at the recent election to the European Parliament—and it is clear why member states are hesitant to hand over more power within this sensitive area. And at the end of the day, neither the European Commission nor the Parliament will have to abide by the rules, pay for their enforcement or defend any deficiencies to the populations of Europe. As with all other EU mandated regulation the main onus in this regard falls on the member states and the individual governments.
All in all, the European Commission clearly underestimated the opposition amongst member states to being usurped in regard to such an important and almost incomprehensively large area of law. And while the Council may proclaim outwardly that the proposal raises "important issues" and that further "expert discussions" are needed, the reality is that the majority of member states want to understand what they are adopting before they commence negotiating the final proposal with the European Parliament and the Commission in the so-called "trilogue" procedure.
Where to now?
But all this does not mean that the reform will not happen. In fact it looks more and more likely to be adopted during 2015. It just means that the member states are devoting a large amount of resources to ensuring that the necessary "flexibility" is inserted into the proposal (see the German proposal above regarding the "opening" of the scope). Or in other words: To ensure that enough legislative competence is left safely in the hands of member states, even if the proposal remains in the form of a regulation.
For more information on this topic, see the IAPP Resource Center's close-up on EU data protection reform.