Frederik Van Remoortel

As I have previously written, in January 2012 and July 2012, the EU Commission has proposed a comprehensive reform of existing EU data protection rules, including a draft for a new Data Protection Regulation.

This proposal is the subject of the ordinary legislative procedure, which means it is under review by both the Council and the European Parliament as the draft has to be approved by both the European Parliament and the Council in order to become law.

The Committee for Civil Liberties, Justice and Home Affairs (LIBE) has been appointed as the main committee with responsibility for the draft Regulation in the European Parliament. LIBE has already published three working documents and has published a calendar with dates of several meetings, workshops, and hearings that will be organized until the vote in plenary. The current agenda, aiming at an orientation vote within LIBE by March/April 2013 can be found here. MEP Jan Philipp Albrecht, rapporteur for LIBE, has meanwhile published a draft report holding more than 200 pages of suggested amendments to the proposed Regulation, which can be found here. A second exchange of views will be held on the draft report in the LIBE meeting on January 21, 2013. Without entering into the details at this stage – as the report is still not final – the report (with some exceptions) does not seem to take into account criticism and concerns of businesses with respect to the draft Regulation and, if adopted, the amendments will make the new regime even stricter for businesses. It is still anticipated that by the summer of 2013, the Regulation should be ready for a trilogue with the Council and the Commission, and that the Regulation shall be put to a vote in the plenary session of the European Parliament by early 2014.

The Working Party on Information Exchange and Data Protection (DAPIX) handles the review of the draft Regulation in the Council. It has scheduled an article by article review. On December 3, 2012, a Report on the progress achieved under the Cyprus Presidency was published. DAPIX has reviewed 4 of the 11 Chapters of the draft Regulation.

The proposal is also evaluated by national parliaments. An overview thereof can be found here.

Below are some of the various elements of the proposal that are under discussion:

1) The fundamental choice of a Regulation instead of a Directive. During an October 25, 2012, meeting of the Council, among others, the choice of legal instrument was discussed. Some delegations expressed their preference for a Directive – which needs to be implemented afterwards by each Member State, so that there is a risk of, again, having 27 different national laws – whereas others follow the Commission in the choice for a Regulation which has direct effect in all Member States. In a December 4, 2012 speech (“The overhaul of EU rules on data protection: making the single market work for business”), Commissioner Reding has made it clear that in her view the decision to propose a Regulation was the right one beyond any doubt because it meets the expectations of business to have a true digital single market with one single law for data protection.

It is our opinion that a Regulation will provide businesses operating in various Member States a much higher legal certainty, which, in combination with the “one-stop-shop” principle (the national data protection authority of the place where the controller or processor has its main establishment would supervise the activities of the controller or processor in all Member States), can only be welcomed as it would reduce administrative formalities, saving time and money (acknowledging that some of the novelties in the draft may on the other hand increase costs for businesses). Having 27 different national data protection laws in this digital age, is something that should be avoided.

2) Delegated and implementing acts. Delegated acts allow Parliament and the Council to delegate to the Commission the power to adopt “non-legislative acts of general application to supplement or amend certain non-essential elements of a legislative act.” In the proposal for the new Regulation, a considerable amount of delegated and implementing acts has been foreseen.

In her above mentioned speech, Commissioner Reding has already confirmed that there may be some changes to the draft in this respect and that, in lieu of these acts, several different solutions have been considered. These include (i) more detail in the text of the Regulation, (ii) allowing the consistency mechanism to step in (i.e. the mechanism under article 57 of the draft Regulation for co-operation between the supervisory authorities and the Commission in order to ensure the consistent application of the Regulation throughout the Union), (iii) allowing codes of conduct and other business-lead initiatives or (iv) just deleting certain acts in their entirety.

The Commission has also already indicated that where a delegated or implementing act was proposed, the exercise of this power could be further qualified in three ways (source: Report on the progress achieved under the Cyprus Presidency):

1) by inserting procedural rules in the empowerment, for example as regards specific consultation arrangements to be followed by the Commission;

2) by putting substantive conditions on the empowerment; or

3) by limiting the scope of the empowerment.

3) The so-called SME exception to some of the obligations for small and medium-sized enterprises (i.e. companies employing less than 250 employees). The criticism here is that this SME exception is not an optimal solution in all cases, as obligations aimed at ensuring an appropriate level of data protection, should not necessarily be differentiated only by reference to the number of employees employed by the company. Hence, the question is whether the risk inherent in certain data processing operations should not be the main criterion for evaluating the applicability of data protection obligations: where the data protection risk is higher, more detailed obligations would be justified.

4) The right to be forgotten. The Vice President of the European Parliament, Alexander Alvaro, said the provision in the draft Regulation guaranteeing individuals the right to be forgotten needs to be limited. He said this right “has to be limited to the point where we’re talking about judicially, clearly examined, illegal violations of rights.”

These are just a few examples of the ongoing discussions. The Commission meanwhile tries to bring the discussions back to its essence by publishing on its website the interesting contribution “Myth-busting: what Commission proposals on data protection do and don’t mean,” which can be accessed here.