The EU Takes One Step Forward (And Then One Back) in Data Protection Reform

The European Commission initiated the data protection legislation reform in January 2012. Despite strong support from the Committee for Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament in October 2013, the Council of Ministers did not grant the reform proposals a green light in December 2013.

In order to modernise and harmonise the fragmented data protection standards across its Member States, the European Commission is in the process of reforming1 the current regulation aiming to substitute the Data Protection Directive 95/46/EC of 1995. The proposals focus on the draft text of the general Data Protection Regulation and on the Data Protection Directive for law enforcement situations. The Data Protection Regulation, once adopted, would establish a single pan-European set of rules that would be obligatory for all Member States, and will thus lose the need to interpret the data protections laws of all 28 countries.

For example, the proposals put forward include the new principle that both foreign and EU-based companies must adhere to the same set of rules, instead of the former application of stricter standards on EU businesses. For private citizens, the reform aims to protect individuals’ rights online more strongly, e.g. by putting more emphasis on the concepts of “the right to be forgotten” and “privacy by design”, allowing personal data to be transferred more easily between service providers, and making the meaning of “data subject’s consent” more explicit.2

The reform proposals have had to go through complex rounds of discussions in different EU institutions. After the positive vote from the Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament in October, where the voting results were seen as a strong sign of progress of the reform, the text moved on to the next round of discussions at the Council of Ministers. Despite high hopes for quick progress, the Council expressed its concerns about a number of aspects and called for reconsideration of the proposals.

Issues discussed at the Council

One of the main developments offered by the reform would be the creation of a single supervisory data protection authority for all companies, instead of the current practice, which has 28 different national data protection authorities. This solution has been labelled as the “one-stop-shop” and is designed to “bring simplicity and cost-savings to pan-European data controllers and processors”.3 However, in its current form and wording, it is opposed by a number of EU Member States, such as Germany.4

Also, despite an agreement having been reached by the LIBE of the European Parliament, the Member States are still discussing the form of the data protection framework (either a Directive or a Regulation) and the consolidation of the data protection supervisory powers into a single EU entity, especially with regard to the authority to order fines and penalties, as well as the more practical mechanisms for consumer redress.3 For example, it is feared that the one-stop-shop system may impose linguistic and financial barriers to those EU citizens whose data had been mishandled by a company based in another member state, and thus may discourage the citizens from going to court.5

There are no concrete signs on the expected date of adoption on the reform proposals. The European Commission has, however, expressed hope that “An agreement on the reform is possible before the end of this year”.6

  1. More information on the data protection reform at: European Commission, “Commission proposes a comprehensive reform of the data protection rules,” press release, 15 January, 2012. []
  2. European Commission, “LIBE Committee vote backs new EU data protection rules,” press release, 22 October, 2013,. []
  3. Hogan Lovells, Mac Macmillan, “Progress falters on EU Data Protection Regulation at Council meeting,” Lexology, December 9, 2013,… [] []
  4. EurActive, “Data protection reform in peril as Germany stymies deal,” December 9, 2013. []
  5. “EU Data protection regulation stalled again,” EDRI, 18 December, 2013. []
  6. European Commission, “Data Protection Day 2014: Full Speed on EU Data Protection Reform,” press release, October 22, 2013. []