Out-Law News 2 min. read
21 Jun 2013, 11:06 am
A planned vote by the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee, originally scheduled for April, on proposed reforms to the EU's Data Protection Directive has been delayed until October.
Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that the delay reflected the difficulty EU law makers have had in achieving agreement on the wording of a new General Data Protection Regulation, first proposed by the European Commission last year. Wynn said the draft Regulation is at risk of being scrapped as a result of the lack of consensus.
"The problem with the proposed Regulation is that it is too prescriptive in detailing how firms should comply with data protection rules," Wynn said. "The focus ought to be on setting outcomes that businesses need to meet, whilst leaving them with an element of flexibility over how to achieve that compliance."
The Commission's plans would introduce a new single data protection law across all 27 EU member states. Currently each member state has implemented the 1995 Directive into national laws in a different way from one another. The Commission has sought to bring an end to the fragmented regime with a single law for businesses that it said will boost the EU economy.
However, several EU governments, including the UK's, and businesses groups have expressed concern that the draft rules are too prescriptive in nature and that they force businesses into taking burdensome and costly steps towards compliance.
More than 3,000 proposed amendments have also been tabled to the Commission's draft by MEPs in the European Parliament.
"The problem with setting out a prescriptive approach towards compliance is that it involves outlining a lot of detail about how that compliance is to be achieved," Wynn said. "It therefore becomes difficult for a consensus to be reached from competing ideas about the processes and procedures needed for compliance, and it also encourages a 'tick-box' attitude to compliance by organisations."
"A principles-based regulation that sets outcomes for organisations and is accompanied by sector-specific guidelines, to address the fact that there are different privacy risks inherent in different industries, would help avoid the difficulties associated with a 'one-size-fits-all' approach and make it more likely that necessary data protection reforms can be delivered," she said.
"EU data protection laws are out of step with the digital age. They do not properly account for advancements in e-commerce, the rise of social media, multiple jurisdictional transfers of personal data and the increased profiling capabilities brought about by the emergence of 'big data'. However, an update to the regime is not likely unless an effort is made to make the draft Regulation less prescriptive," Wynn said.
"It may be that it gets to the stage that it is no longer possible to progress negotiations over the current draft Regulation because of differences over the detail. The European Commission may have to go back to the drawing board to either frame a new outcomes-focused Regulation or Directive to achieve the reforms necessary," the expert added.