DPI16_Banner_300x250 WITH COPY

By Nóra Ní Loideain

Reforming the outdated EU legislative framework governing data protection was always going to be a daunting task.

The conditions and requirements of the 1995 principal EU Data Protection Directive (95/46/EC) have harmonized standards in the transparency and accountability of domestic laws regulating the protection of personal data by the public and private sectors across Europe since the directive came into effect.

However, as highlighted by the European Commission in its Impact Assessment of the current framework in 2012, “rapid technological and business developments” have occurred in the interim, particularly the ubiquitous use of Internet-based and mobile communication devices and the dramatic advances, in addition to the significantly lower costs, involved in the processing of personal data.

While the established objectives and principles of EU law remain sound, this has not prevented fragmented implementation of the current data protection framework across the EU.

This lack of harmonization raises concerns of legal uncertainty and a widespread public perception that there are significant privacy risks associated with online activity. These issues serve to undermine consumer confidence, threaten the expansion of online markets and services and infringe the fundamental right of all EU citizens to the protection of personal data, as guaranteed under EU law.

The Proposed Data Protection reforms (both the regulation and directive concerning police and judicial cooperation in criminal matters) were developed to address these issues. According to the European Commission, the policy objectives underlying the DP reform package reflect the need to build:

[A] stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and  practical certainty for economic operators and public authorities.

The subsequent policy process has gradually engrossed the attention of policy-makers and stakeholders from the private and public sectors since the publication of the proposed Data Protection Reforms by the commission in January 2012.

Looking for more information on data protection reform in the EU? Check out Close-Up: EU Data Protection Reform in the IAPP Resource Center for links to the directive, proposed regulation and related documents as well as analysis, opinions and guidance.

Leading legal expert Christopher Kuner, author of recent OUP publication Transborder Data Flows and Data Privacy Law, aptly describes the pending major reforms as a “Copernican Revolution” in EU data protection law that represent a shift in focus “from paper-based, bureaucratic requirements and toward compliance in practice, harmonization of the law and individual empowerment.”

Since 2012, four EU presidencies—Denmark, Cyprus, Ireland and now Lithuania—have been responsible for advancing the EU data protection reform project. Based on the updated timeline from the meeting of the EU Council (24/25 October) for the enactment of the regulation “by 2015,” the Greek Presidency—and possibly even the Italian Presidency from July 2014—is likely to be steering the final stages of this process.

Developments in 2013

From 2012, the initial pace toward reform was slow but picked up considerable momentum in 2013. Any reference to the DP reforms was notably absent from the Danish Presidency’s Programme of policy priorities. In contrast, the Cypriot Presidency was unequivocal in expressing its commitment to “work actively” to “advance negotiations of the data protection reform.”

The Irish Presidency had the unenviable task of moving from the negotiation stage to seeking agreement on specific provisions of the data protection reform project in January 2013. EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding subsequently commended Ireland for its work. Following 25 high-level expert meetings and reaching agreement on four out of 11 chapters of the proposed regulation, Commissioner Reding described this “data protection sprint” as “a remarkable achievement”—the exhausting pace of which allegedly resulted in EU diplomats having to sleep in tents.

Throughout the Irish Presidency and the current Lithuanian Presidency, Parliament reviewed the commission’s proposals and returned with amendments—many amendments. By the time all the different committees in Parliament had voted on the proposed reforms, more than 3,000 amendments needed review. After a somewhat understandable number of delays, a majority of the LIBE (Civil Liberties, Justice and Home Affairs) Committee backed an amended draft of the commission’s DP proposals on 22 October.

Several major substantive recommendations have been proposed under the DP regulation. The most groundbreaking changes include the ‘One-Stop Shop’ system; major sanctions for breaches, and the establishment of data protection officers once the personal data of more than a specified number of data subjects is being processed annually by an organization. An in-depth analysis of the LIBE amendments to these proposals can be found in this free web conference moderated by IAPP VP of Research and Education Omer Tene and in Christopher Wolf’s analysis of the impact on Safe Harbor.

Complicating matters, near the end of the Irish Presidency, whistleblower Edward Snowden revealed to leading news publications in the UK and U.S. (The Guardian and The Washington Post) details of FBI and NSA programs involving the surveillance of communications data—otherwise referred to in the U.S. as “metadata”—and content of citizens’ communications both within and outside of the U.S. These (ongoing) revelations have since become well-known worldwide and have played a role in the EU data protection reforms.

In response to the Snowden revelations, German Chancellor Angela Merkel highlighted the need for EU member states to adopt more robust data protection laws in order to require Internet service providers operating within the EU to reveal who receives personal data from them. Commissioner Reding subsequently urged the leaders of other member states to follow Chancellor Merkel’s resolute commitment to strengthen the current EU data protection laws.

Reflections and Predictions

Commissioner Reding and the EU Parliament have used the Snowden revelations as a driver for the urgent passing of the draft regulation. Scant attention has been drawn, however, to the draft legal instrument that is more relevant to this issue—the proposed directive on the protection of personal data processed by law enforcement authorities within the EU.

It is unlikely, however, that this policy situation will change. The future of the proposed Data Protection Regulation is the focus of legislators and stakeholders both within and outside of the EU.

Two main factors underpin this prioritization.

Logistically, finalizing the provisions of the regulation requires a significant amount of negotiation and agreement time between the EU institutions and member states. Secondly, several member states have only just implemented the 2008 Council Framework Decision regulating the protection of personal data processed by law enforcement authorities (2008/977/JHA). Therefore, EU principles of Better Regulation require that the impact of this instrument is assessed before the EU rules governing this area are changed so soon again.

Both the Article 29 Data Protection Working Group (4 December 2013) and European Data Protection Supervisor Peter Hustinx have warned (15 November 2013) that the Parliament elections in July are also likely to disrupt the ongoing consultations between the EU institutions as they work towards finalizing a compromise draft for the commission before the end of 2014.

As Hustinx emphasizes, legislators should aim to adopt the data protection proposals swiftly “as a new Parliament may mean examination of the proposals would have to begin afresh.”

Despite the priority in their programme to “continue intensive negotiations seeking substantial progress on the Data Protection package,” the Lithuanian Presidency has indicated no sense of urgency to finalize an agreement between the Parliament and Member States on the Data Protection reforms by the end of 2013.

The next EU Council General Affairs meeting takes place on 17 December 2013—just before the final meeting of the council for 2013—when the draft conclusions from its meeting in October, more specifically the current 2015 deadline for the proposed regulation, will be debated.

It is unlikely, however, that a consensus from member states in response to the proposals by Parliament to the Draft Regulation will be established by this time given the current lack of political impetus from key member states, particularly the UK and Germany, to quickly reach an agreement.

The lack of urgency from the UK appears primarily concerned with the implications that data protection reforms pose for industry. Minister for Justice Chris Grayling, notes that it is better to “take the time … rather than rush into something that proves unworkable and costly.”

In contrast, Chancellor Merkel insists that any delay from Germany is due to ensuring that the future data protection standards of the EU mirror Germany’s high data protection standards.

Whatever the driving factors, there appears to be little political will to quickly advance the current state of the negotiations. For example, the Justice and Home Affairs Council will debate the one-stop shop system this week (5-6 December). UK Home Secretary Theresa May has, however, already suggested that any significant progress on this aspect of the proposed data protection reforms is unlikely:

The justice day will begin with a discussion on the concept of the one-stop-shop mechanism contemplated in the draft Data Protection Regulation. The presidency has indicated its wish to reach a partial general approach on those aspects, though it is possible the council will conclude that this would be premature.

Given all of the above factors, both substantive and procedural, reaching agreement on the reforms before the 2015 deadline set by the council is a possibility. Achieving the same task, however, before the end of the current EU legislature in 2014 seems increasingly unlikely.

Nóra Ní Loideain is a PhD candidate and CHESS scholar at the Faculty of Law in the University of Cambridge. Her doctoral thesis concerns the Data Retention Directive (2006/24/EC), specifically the surveillance by law enforcement authorities of communications data obtained from the private sector and the right to respect for private life in Europe. She has previously worked as a judicial researcher for the Supreme Court and as a legal research officer in the Office of the Director of Public Prosecutions of Ireland. Her main research interests and publications are in the fields of EU law and policy-making; data protection, civil liberties and human rights, particularly under the EU and ECHR systems.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»