< Back

Share |

Progress on the EC draft data protection Regulation

March 2013

The European Commission unveiled its proposed reforms to EU data protection law just over a year ago.  The cornerstone of the package is a draft Regulation (Regulation) which would take direct effect in EU member states without the need for further implementation.  The EC claims this is necessary in order to harmonise laws across member states but the British government has not been alone in criticising the Regulation for being overly prescriptive in some areas and insufficiently detailed in others.

noteOne of the chief justifications for the Regulation is the EC’s contention that it will lead to administrative savings of €2.3 billion per year across member states.  According to an impact assessment published by the UK’s Ministry of Justice in November 2012, however, the annual net cost of implementing and complying with the proposals in the UK alone will be between £100 million and £360 million each year with SMEs bearing the brunt of increased costs.

National regulatory authorities (NRAs) and the Article 29 Working Party have been broadly supportive of the Regulation but this does not mean they have no reservations.  For example, Britain’s Information Commissioner (ICO) concentrated on the following:

  • the current proposal is too prescriptive and should focus more on outcome than on processes;
  • the drafting needs clarification, particularly with regard to the definition of personal data and in terms of pseudonymised data;
  • the 'right to be forgotten' may lead individuals to expect a degree of protection which cannot be delivered in practice;
  • the ICO supports a "high level of consent" but calls for a coherent set of alternatives to consent where obtaining consent is not viable;
  • while EU citizens should have the same rights and data controllers the same responsibilities, the ICO does not believe that this requires all details of the law to be harmonised and calls for room to accommodate the legal traditions of individual member states;
  • national regulatory authorities need to be given adequate resources to enable them to carry out their new responsibilities;
  • the ICO does not believe fines should always be linked to annual turnover and says "fines are not always the solution";
  • there is too much scope for implementing and delegated acts.

filesNot all these concerns were picked up by the MEP Committee for Civil Liberties, Justice and Home Affairs (LIBE) in its draft report on the EC draft data protection package. Their key recommendations included:

  • a substantial reduction in the number of permitted implementing and delegated acts;
  • stipulating that in the context of collecting a free consent,  the use of default options such as pre-ticked boxes which the data subject would have to change in order to object, cannot validly indicate consent to processing of personal data;
  • requiring that data processors should only be able to rely on the ‘legitimate interests’ exception in extraordinary circumstances;
  • the introduction of the concept of pseudonymous data in respect of which some requirements, including that for specific consent, might be relaxed;
  • an enhanced definition of a data subject;
  • a definition of “anonymised data” along with the recommendation that anonymised data sit entirely outside the scope of the package;
  • a restricted definition of an SME in some cases;
  • an increase in the period within which data controllers need to notify data breaches from 24 hours to 72 hours;
  • a limit on the ability of companies to sell customer data to advertisers and a requirement for them to inform users about what happens to their data and give them a chance to agree or disagree;
  • a requirement for data controllers and processors to indemnify individuals for any damage suffered as a result of a data breach caused by transferring personal data to “non-approved” countries; and
  • a greater restriction on international transfers.

Reactions to the LIBE report have been mixed. The European Data Protection Supervisor and the German and French regulators have been positive but industry reaction has been less than enthusiastic.  The report has been roundly criticised for recommending that an already complex piece of legislation which is widely seen as difficult and expensive to implement, become even more opaque.  The extent to which the report will influence the European Council with whom the real power to amend the Regulation resides, remains to be seen, especially as an Opinion from the Industry, Research and Energy Committee which is supposed to be incorporated into the LIBE report, takes a more pro-industry view, resisting, in particular, the proposed fining mechanism of 2% of annual global turnover.


What has united stakeholders is the large number of permitted implementing and delegated acts which are seen as giving the Commission too much power to legislate by the back door.  So intense has been the criticism that the Commission recently published an explanation of the Consistency Mechanism in an attempt to justify itself.  Viviane Reding, the European Commissioner responsible for bringing in the Regulation, has already said that the next draft of the Regulation will contain less scope for implementing acts and be less prescriptive about compliance methods.

We are likely to see a new draft of the Regulation sometime this year and a timeline published by the ICO suggests that by the end of 2013, a first reading of the package will have taken place in the European Parliament with conciliation meetings between the European Parliament and European Council to start shortly afterwards in the (probable) event of disagreement between the two bodies.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Debbie Heywood

Debbie Heywood      

Debbie looks at the progress of the reform of EU data protection law, one year on.

"The EC claims this is necessary in order to harmonise laws across member states but the British government has not been alone in criticising the Regulation for being overly prescriptive in some areas and insufficiently detailed in others."