Last month Ministers from across the EU met in Luxembourg to discuss ongoing negotiations towards a new data protection law framework. At the meeting the Government, together with Denmark, Slovenia, Belgium, Hungary and Sweden outlined their opposition to European Commission plans to form a new Data Protection Regulation, according to a report by information law experts Amberhawk Training.
The six countries instead back plans for a new Data Protection Directive to replace the existing Directive, from which current national data protection rules are drawn, the report said. Bulgaria, Germany, Spain, the Netherlands, Luxembourg, France, Italy, Greece and Ireland support a new Regulation instead, whilst the remaining 12 EU member states are as yet undecided on the issue, it said.
In January the Commission outlined plans to bring the EU's data protection framework up-to-date with the digital age. Its proposed General Data Protection Regulation would replace the existing regime which the Commission described as fragmented and outdated.
Currently EU member states have slightly different data protection laws from one another. This is as a consequence of the way those countries have implemented the 1995 Data Protection Directive into national laws. The wording of EU Directives does not have to be precisely copied into national laws. However, EU Regulations contain a binding set of rules that, if approved, apply across the entire trading bloc.
So, whether the proposed reforms are contained in a Regulation or a Directive is important because it determines the extent of flexibility member states have to adopt their own approach to the rules.
Earlier this year the Ministry of Justice (MoJ) expressed its view that a Directive, rather than a Regulation, was the right legal instrument through which to drive through reforms, according to a leaked file from the Council of Ministers published by civil liberties group Statewatch.
"We are of the view that the proposed general Regulation should be a Directive in order to provide greater member state flexibility to implement the measures – a Regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice," the UK said, according to the file.
Out-Law.com asked the MoJ to confirm whether the Amberhawk report accurately describes the Government's up-to-date position on the issue, but it did not answer this question.
Instead, in a statement Justice Minister Helen Grant said: "I believe that the proposed EU data protection legislation is too prescriptive, which is why I am pushing for legislation that is less burdensome - providing protection without stifling growth and innovation."
"The processing of personal data should be founded on the principles of necessity and proportionality, appropriate data protection safeguards and appropriate data protection oversight. These should be achieved in tandem, not at the expense of one or the other. The Government will continue to work constructively with the EU to ensure that happens," she added.
Following the Luxembourg meeting, the EU's Justice Commissioner Viviane Reding said that she was "prepared to introduce further flexibility" within the draft General Data Protection Regulation as long as "it does not run against the objectives of achieving a more harmonised legal environment". She said EU member states could be given limited freedom to write their own laws affecting data protection in the public sector.
Under the Commission's proposals it would be able to draft a series of "implementing" or "delegating" acts in the future in order to provide more detail on the precise workings of some of the measures included in the Regulation text.
However, in her speech Reding indicated that she may be willing to drastically cut the ability of the Commission to set out rules through the two "Commission empowerments" by up to 40%.
Reding also said that she was aware of concerns about "the possible administrative burden for companies" that it is perceived in many quarters that the proposed new data protection framework would create. She said she had made "concrete proposals" to EU Justice Ministers "to reduce" the perceived burdens and suggested organisations that process relatively little non-sensitive personal data may be exempt from some of the requirements set out in the draft Regulation.
Reding said that she is "confident" that a "political decision" will be able to be made on the issues of public sector flexibility, administrative burdens and on the Commission's power to introduce delegated and implementing acts next month. It is further hoped that a "political agreement on the reform package" can be obtained by the middle of next year, she added.