According to a document detailing the conclusions agreed on at the European Council meeting in Brussels (20-page / 165KB PDF), new EU data protection rules and a new cyber security framework are to be adopted "by 2015". French President François Hollande said that the 'by 2015' wording referred to the beginning of that year, according to a report by EurActive.
It was previously anticipated that the data protection reforms would be finalised before the European Parliamentary elections in May next year.
Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that the 2015 deadline will give law makers enough time to get the new data protection regime right.
"Much needed modernising of data protection rules remains on the agenda and is being taken seriously but with a realistic timescale to negotiate a final draft," Wynn said. "It is positive that there will remain momentum towards reforms as a result of a deadline being set, which may have been lost if a time limit on negotiations was not agreed. However, there are still differences that remain about exactly how the new regime should look."
"From a business perspective, the most important thing is that the reforms are thought through and not rushed through to make headlines. If the rules were set out in a new Directive there would be an opportunity to make improvements in how national laws implementing the reforms are termed. However, that opportunity won't be available with a new singularly applicable Regulation. It is therefore vital that the law makers get it right first time," Wynn added.
At the European Council meeting UK Prime Minister David Cameron had sought to avoid a deadline being set for the data protection reforms to be brought in, but agreed a compromise on the 2015 deadline, according to a report by the Financial Times.
"The UK wanted to delay the [General Data Protection Regulation] because they feel that it may harm the interests of business," German Chancellor Angela Merkel said after the meeting, according to the EurActive report. "Germany had reservations on not moving too quickly to ensure that it can reconcile the existing rights of its citizens."
In January 2012 the European Commission outlined plans to update the EU's existing data protection law regime. It published a draft General Data Protection Regulation which, if introduced, would see a single framework of data protection apply throughout the EU and also bring businesses based outside the trading bloc but targeting services at EU citizens' within the scope of the rules. The Commission also published a draft Directive specifically to set rules on personal data processing for law enforcement bodies in the EU.
At the moment the EU Data Protection Directive is applied slightly differently within each of the 28 EU member states. The Commission sought to harmonise the rules and bring them up to date for the digital era in outlining its plans for a new Regulation.
Following months of lobbying and negotiations, the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee last week voted to approve wording for the Regulation and urged for EU Ministers to agree on their own position on the text in order to progress with further negotiations on a final draft. Both the Council of Ministers and the European Parliament must agree on the wording of the Regulation before it can come into force.
However, EU Ministers remain divided on some aspects of the reform and have still to reach a settled position from which to open negotiations with the LIBE Committee. One example of the differing views is evidenced by the lack of agreement among Justice Ministers over the way data protection authorities would enforce businesses' compliance with the new regime.
The UK Government has previously outlined its opposition to some aspects of the proposed reforms which it said would unjustifiably increase businesses' costs. In particular the Ministry of Justice (MoJ) opposes measures which would require businesses to employ dedicated data protection officers.
In November last year the then Justice Minister Helen Grant said that the net annual cost of complying with the European Commission's draft General Data Protection Regulation would be between £100 million and £360m for UK businesses, public sector organisations and charities. The Commission has said that it expects the reforms to deliver €2.3 billion of annual savings to organisations' administrative costs.
"The Government wants to see EU data protection legislation that protects the privacy of individuals, while ensuring businesses of all sizes are able to grow and innovate," Justice Secretary Chris Grayling said in a statement sent to Out-Law.com. "These should be achieved in tandem, not at the expense of one or the other."
"The proposals could end up costing UK businesses – as well as those of our counterparts in Europe – hundreds of millions of pounds every year, strangling them with red tape. We are negotiating hard to make sure any law is good for business and citizens – otherwise we will pay the price in jobs later," he added.