Things can only get better. That’s the message from all parties negotiating the new EU Data Protection Regulation.
Following the first so-called trilogue meeting on Wednesday, negotiators representing the European Parliament, the European Commission and the council of national justice ministers said that citizens’ data would be better protected under the proposed new law, or it wouldn’t be worth doing.
The chairman of the EU parliament’s justice committee, British Labour MEP Claude Moraes, said the proposed Data Protection Regulation is an urgent priority for the Parliament, but added that “any provisions [on protecting personal data] that go below the current 1995 directive would be a red line.”
Yes, you read that right – the EU's current rules on data protection date from a time when dinosaurs roamed the earth social media hadn't been invented and cloud computing was mostly a pipe dream.
The latest Eurobarometer opinion poll, published by the Commission, shows that survey respondents have serious concerns about what happens to their personal data online. Only 15 per cent of the 28,000 questioned felt that they had complete control over information they provided online.
With this in mind, the clock is now ticking on the three-way talks between the EU parliament, the Council and the Commission – and negotiators have set themselves a tight schedule.
Luxembourg’s Justice Minister, Felix Braz, who will lead negotiations on behalf of the Council, said that the parties have agreed on a “flexible roadmap”, but with one immovable point – the Justice and Home Affairs Council meeting in October. “We have a rendezvous we can’t miss,” he said.
Eight meetings have already been scheduled for July and September. German MEP Jan Philipp Albrecht, who is lead negotiator for the EU parliament, said that although there are practical difficulties in coordinating calendars of three institutions, there is sincere commitment to getting the job done.
“We think it’s a very good sign that the Council, Commission and Parliament have all committed to agreeing a unified data protection regulation by the end of this year. This first meeting showed very clearly that this aim is achievable and realistic if all three parties are open to compromise – and all three have declared that they are. I think that the three texts which are now on the table are now much closer to each other than we would have thought some months ago,” said Albrecht.
But he admitted there are still some problems to deal with, including the rights of consumers, duties of data controllers and limitations on further processing of data for incompatible purposes. However, having steered the text through more than 4,000 amendments to a unified position in the EU parliament, Albrecht is confident of reaching agreement: “The devil is in the detail, but I don’t see any real danger in not achieving our aim.”
Latvia’s Justice Minister, Dzintars Rasnacs, said that time was of the essence because EU countries will have to get ready to implement of the regulation: “Each member state will have increased supervision and each member state will have to increase capacity. A great deal of work by enforcement will be needed.”
EU Justice Commissioner Věra Jourová also highlighted the issue of enforcement of the eventual law: “Once it is adopted the work will start and we [at the Commission] will be working on very precise and concrete guidelines for data protection authorities including equalisation of imposing of penalties... after we agree on them.”
Working out how large fines for breaking the new law will be is one of the big issues still up for debate.
“Of course, sanctions are one of the issues for which we need trilogue, but they must be proportionate and effective,” said Jourova.
The EU parliament wants the strictest sanctions of up to five per cent of global turnover, while the other two parties will likely argue down from this. The draft regulation is a vast document and reaching compromise will not happen overnight. As Albrecht said: “We really have to work through a mountain of articles and paragraphs, but we are committed to doing it.”
A Data Protection Directive, which covers law enforcement agencies (as opposed to the regulation, which applies to companies), is also on the table. Moraes said “Everyone knows we’ve had problems with directive, but the parliament considers the two elements a single package, it is not just cosmetic.”
Compromise and negotiation are always the watchwords for negotiators at this stage in EU law-making. Yet against the external backdrop of the Snowden revelations, reform of the EU-US safe harbour agreement and challenges to jurisdiction by Microsoft and Facebook, there seems to be more impetus behind this legislation than most. ®