Euro Security Watch with Mathew J. Schwartz

EU Privacy Overhaul: Still Waiting

Why Europe Can't Get New Privacy Legislation Passed
EU Privacy Overhaul: Still Waiting

Three years after the European Commission released its proposed overhaul for Europe's 1995 data protection regulation, we're still "not that close" to seeing a new law anytime soon. That's the unfortunate update provided in a blog from David Smith, the U.K. Director of Data Protection.

See Also: 5 Requirements for Modern DLP

Europe's vaunted privacy rules are in desperate need of reform. And the draft version of the new law includes crucial changes, ranging from streamlining related requirements to lower the cost of compliance for businesses, to giving EU member states' data protection officers the ability, for the first time, to impose serious fines for privacy law rule breakers.

Smith, who's deputy commissioner of the Information Commissioner's Office - which enforces EU data protection rules for the United Kingdom - told me at the April 2014 Infosecurity Europe conference in London that after the new EU government took power in July 2014, we might finally see a new EU data protection regulation by the end of 2015. Ten months later, however, Smith sounds less sure about that potential timetable. "Progress has been made, but the negotiations in Brussels are not even in the home straight, let alone close to the finishing line," he says.

How to Build an EU Law

To understand why, it helps to note that three parties collectively create and pass new EU laws:

  • European Commission: The EU's executive body proposes new laws;
  • European Parliament: The EU's legislative body proposes amendments to proposed laws;
  • Council of the European Union: The representatives of the executive governments of the EU member states also adds amendments to proposed laws.

After those amendments have been proposed, the three groups come together in a "trilogue" to hash out a final agreement, which is an EU regulation that then becomes law in each EU member state. Between the regulation being passed and the law taking effect, there's also an introduction period that allows EU member states to plan for how they'll enact the law, on a practical level.

If you think that process sounds complex and prone to delays, you'd be right, at least where data protection reform is concerned. "Everything's gone much more slowly than the optimists have predicted up to now," Smith says.

In part, that's because "the Parliament is ready for the trilogue ... but the Council isn't," he says. In fact, the Parliament has been ready for the past year. To date, the Council has also agreed on some crucial changes, including former EU Commission Vice President Viviane Reding's one-stop shop proposal to streamline existing rules and allow a single member state to coordinate and run EU-wide privacy investigations. Currently, up to 28 member states can each run their own investigations and impose related sanctions.

EU Council Delays

But the Council has yet to agree on all of the proposals, including the right to be forgotten, which allows Europeans to request the removal of some types of "irrelevant" or outdated data from search engine results. One sticking point is whether those removals should apply just in Europe, or worldwide. Furthermore, EU officials have been hoping to bundle the new data protection regulation with a new directive - which EU member states then "translate" into domestic laws as they see fit - that covers data protection for the law enforcement and justice sectors. But the Council has yet to agree on that as well.

The Latvian Agenda

The presidency of the Council is held by Latvia until the end of June, and Latvian officials say the new data protection regulation ranks high on its agenda. But Germany's Jan Philipp Albrecht, the European Parliament's data protection reboot rapporteur - think "liaison officer" - warned last month that the "Council and Parliament are heading in two completely different directions," Parliament Magazine reports. "Even if the Council is ready to negotiate somewhere in June, it is not sure we will finalize a compromise before the end of the year," Albrecht said.

On the upside, U.K.'s Smith says "there's no doubt that the pace is 'hotting up,'" - that's a British term - and that it's possible a trilogue could be scheduled for later this year, after Luxembourg assumes the EU Council presidency. If Luxembourg can bring its formidable - and well-regarded - diplomatic skills to bear on data protection reform, a new regulation might be agreed before the middle of 2016. "Of course, then the fun really starts, with two years for implementation and the new regime up and running perhaps some time in 2018," Smith says.

Or there could be further delays, thus pushing improved data protection for Europeans into the 2020s. Dear EU officials: We're waiting.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.