This is a piece I wrote for the March 14th issue of the BEERG global labour newsletter. It examines the consequences of the EU Parliament’s overwhelming vote on the General Data Protection Regulation and acknowledges the hard work and valid concerns raised by the Irish MEP Sean Kelly (EPP & Fine Gael)
Though it is now accepted across the EU that the Data Protection Regulation is not likely to be approved until 2015 at the earliest, the European Parliament has scheduled a debate on the legislation on Tuesday (11 March) with a full First Reading vote on it on Wednesday.
The vote comes just 10 weeks before voters across Europe go to the polls to elect the next European Parliament.
The plenary vote on Wednesday is no mere gesture, however. It is the outgoing Parliament setting out its position so that the incoming one can start negotiations with the Council of Ministers, as soon as they have adopted their position, though the timetable for the Council’s part of the process remains uncertain
It is not the European Parliament’s only debate on Data Protection this week as it is also set to approve the final report of its own inquiry into alleged mass surveillance by the US National Security Agency.
That report not only demands that the US/EU trade talks not lead to a softening of data protection standards, it also calls for the suspension of a programme to share bank transfer data with the US, and calls on member states to strengthen oversight of their intelligence services.
As mentioned earlier, the ball now lies with the member states governments via the EU’s Council of Ministers. The Justice Ministers met last week and held a policy debate on outstanding issues relating to the data protection regulation framework.
ASs the communique issued after the meeting said: “Ministers broadly supported the draft provisions as regards the territorial scope of the regulation and confirmed the understanding that international transfers of personal data to third countries should take place on the basis of key principles contained in chapter V of the draft regulation.”
It then went on to diplomatically express the ongoing delays and problems saying:
“Ministers agreed that more technical work will need to be done on important aspects of this chapter and that the question of alternative models for international data transfer will need to be studied in depth.”
“The Council confirmed that the work will continue at a technical level on the basis of the progress achieved so far on: pseudonymisation as an element of the risk-based approach, portability of personal data for the private sector and obligations of controllers and processors.”
“Whilst a majority of delegations appeared to be of the opinion that the scope of the profiling provision in the future regulation should, like the current Directive 95/46/EC, limit itself to regulating automated decision-making that has legal effects or significantly affects individuals, some other delegations pleaded in favour of specific provisions on profiling. Work at a technical level should therefore continue on that basis.”
Others involved in the process expressed their frustrations with the Council’s difficulties in reaching a consensus less delicately. Ralf Bendrath, the Green Party’s data protection expert and an adviser to the German Green MEP who is the Rapporteur who has steered the Regulation through Parliament thus far said on Twitter: “Germany again – embarrassingly – less supportive than all other member states on progress”. He went on to dismiss Germany’s observations that the issue will “need more debate” and chided them for not specifically stating their objections.
While Ministers are still a long way off reaching agreement on their draft of the Regulation, that is not to say that a great deal of technical work and progress is going on behind the scenes.
The Greek EU Presidency has been working away very assiduously in recent months with a series of DAPIX and other Data Protection officials meerting. The Greeks have also been engaging with the Italian government (it is the the next country to hold the 6 month rotating Presidency of the EU) to work out a road map for agreeing on the data protection reform swiftly.
While their original objective of agreeing on a mandate for negotiation with the European Parliament before the end of the Greek Presidency looks unlikely to be achieved, they are busily dotting all the “i”s and crossing all the “t”s they reasonably can awaiting some direction from the member states.
Meanwhile in the UK, the Liberal Democrat Junior Minister at the Justice Ministry, Simon Hughes MP, has announced a review of the criminal sanctions available for breaches of the UK’s Data Protection Act. He said the review would help the UK government “decide whether to increase the penalties as the law permits”.
Feeding into this process Pinsent Masons’ specialist in data protection law Kathryn Wynn has suggested that the government should go further than reviewing the criminal sanctions and should also consider strengthening the civil monetary penalty regime too, arguing that a previous increase in the maximum level of fine in 2010 had prompted organisations to take the issue of data protection seriously.
Using the draft EU’s General Data Protection Regulation as an example she suggests that the review take the approach envisaged there, where the level of penalty for a data breach is calculated on the basis of a percentage of their annual turnover.
So, even before it is passed, we could see the draft EU’s General Data Protection Regulation is influencing domestic legislation across Europe.