Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

EU data protection Regulation may not be finalised until March


The finalised text detailing proposed new EU data protection laws is not likely to be published until late February or March, a spokesman for the EU Justice Commissioner has said.

Matthew Newman told Out-Law.com that a new data protection Regulation was still to be agreed, but that Justice Commisioner Viviane Reding plans to outline the main thrust of what is being proposed in a speech on 23 January.  Newman rejected claims that the timeframe for the announcement had been delayed. The Commission previously said that the reform proposals would be outlined before the end of January.

"Viviane Reding will make a protocol decision the week of the 23rd. She will be making a major speech on that day in Munich outlining the main ideas behind the reforms. That is sticking within the same timeframe that we said previously," Newman said. "The draft will be formally approved by the Commission early this year and the legislative text that will be debated by the EU Parliament and Council of Ministers probably published late February or early March. Because the legislative text is a Regulation it has to be very precise because it would be directly applicable to the Member States."

A report by Data Guidance said that internal disagreements within the Commission over proposals contained in a draft of the new Regulation had caused the timeframe for publication of the finalised to be pushed back.

"At least four of the Directorate Generals responded to the consultation unfavourably, and this has caused a timetable delay," Martin Hoskins, chairman of the Data Protection Forum, said, according to the report. Some of the concerns centre on the "excessive burden" some of the planned changes to the laws could bring, the report said.

The current EU Data Protection Directive came into force in 1995 and is applied slightly differently across the EU's 27 member states. The Commission has said that the Directive needs to be updated to reflect technological changes. If the reforms are implemented in the form of a Regulation it would apply to all EU countries from the moment it was enforced.

A draft outlining details of proposals thought to be under consideration was leaked late last year and suggests that a Regulation will "reduce legal fragmentation and provide greater legal certainty by introducing a harmonised set of core rules.....". EU directives have to be implemented into national laws and this often takes a couple of years after they are passed at EU level.

In November Viviane Reding outlined her intention for the new laws to give individuals a qualified 'right to be forgotten'. The UK's Information Commissioner has labelled the proposal "unenforceable".

Reding has also said she wants the laws to require organisations to obtain consent from individuals before processing their personal data. However, details of the proposals in the leaked draft suggest that prior consent may only be a specific requirement if personal data is to be processed as part of "direct marketing for commercial purposes".

The leak also detailed further proposed changes to the rules around consent. It outlined that consent would not be said to have been given through silence or inactivity and that there would be no legal basis for saying consent had been given "where there is a significant imbalance in the form of dependence between the position of the data subject and the [organisation]".

Organisations could also face new requirements over notifications of data security breaches, whilst the new regime could make it easier for companies to obtain EU-wide recognition among regulators of legally-binding corporate rules they form.

A new regulatory oversight body for the data protection regime is also planned, whilst new provisions could allow consumers the right to force companies to transfer the personal data they hold about them to rival services.

A new 'data protection by design' requirement could also be placed on organisations to ensure that when any mechanisms for processing personal data are introduced, the personal information stored is "not made accessible to an indefinite number of individuals".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.