EU Data Protection Regulation: Update

The EU Data Protection Regulation was discussed, yesterday, at the Privacy Laws & Business conference in Cambridge, UK.

Here is the latest news:

  • There has been a debate as to whether the new Regulation is actually going to happen. The clear view from the European Commission and the European Data Protection Supervisor is that the Regulation will happen and the European Parliament is unlikely to change its position on any of the main points; so businesses should start preparing.
  • Officially, the aim is to finalise the Regulation in late 2014. The reality is that this adoption will probably happen in 2015. As an indicative backstop date, the UK Government is keen to finalise the process before the next general election in May 2015. There will then be a 2 year transitional period.
  • The “One Stop Shop” will likely be diluted so that a data controller will be regulated by the regulator in the EU jurisdiction of its main establishment but; that regulator will need to cooperate and work closely with other regulators. This looks like a dilution of the advantages of locating in the UK or Ireland in order to avoid regulators in other member states.
  • Binding Corporate Rules may be extended to “groups of enterprises in a joint economic activity”. This may help use of subcontractors operating “in the cloud”. Watch this space for more detail.
  • It isn’t yet finalised whether the new law will be Regulation or a Directive (requiring local implementation). For what its worth, it looks like it will be a Regulation so probably no change on this.

Interestingly, Lilian Mitrou (who was in charge of pushing forward the reform on behalf of the Council of Ministers as part of the Greek Presidency) said that they tried to create a balance between “realism” and “not ignoring the difficulties”. Despite this, the new provisions (including extra-territorial effect, the “principle of accountability” and the need for policies, procedures, audit and appointing a Data Protection Officer along with data breach notification duties and substantial fines) all look likely to be implemented. An updated version of the Regulation has recently been leaked and formal confirmation of the amended proposals from the Council of Ministers will be published soon.

Next Steps

We now have the original proposal for a Regulation from the Commission together with the version proposed by the European Parliament and (shortly to be published) the proposal from the Council of Ministers. The next step is to conduct the “trilogue” procedure under which the institutions discuss and agree the final text. As mentioned above, the official aim is to do this by the end of 2014.

Subscribe and stay updated
Receive our latest blog posts by email.
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio