European Data Protection Reform – Should you worry yet?

If your company touches any Europeans’ data you’d better prepare for what’s coming.

The EU data protection reform is steadily moving forward. On March 12, 2014, the European Parliament adopted the current proposal in its first reading. The new regulation is intended to strengthen consumer privacy rights and to boost Europe’s digital economy. However, many experts across the Atlantic have expressed deep concerns with regard to some controversial aspects of the incoming laws, which introduce bigger fines, 24 hour disclosure and the enforced Data Privacy Officer. The proposed regulation applies to the processing of personal data pertaining to data subjects in the EU even if the controller or processor of such data is not established in the EU. U.S. companies with or without operations in the EU that fail to comply with the new rules can trigger fines up to €100 million. If your company touches any Europeans’ data, you’d better prepare for what’s coming and know what to do to minimize the impact on your organization when the regulation is enforced.

Should you worry yet?

According to Viviane Reding, EU Justice Commissioner, there is a full commitment of the European bodies to pass this legislation by the end of the year. However, the experts are skeptical with regard to a swift approval by the council of ministers of the EU member states. Balboni believes that “there seems not to be agreement at the Council level so far on the last text proposed by the European Parliament in October 2013. Despite the commitment showed it is very unlikely that they are going to make it. More likely next year, sometime in 2015” The EU commissioners are famous for their lengthy negotiations: the current Privacy Directive 95/46 took several years to be approved and 2014 is an election year. We are looking at 2015 for the regulation to be approved, and then it is going to take at least two more years before the regulation becomes enforceable in the 28 member states. “in fact, we are looking at two to three years at best” predicts Balboni.

Leupold is skeptical too: “I don’t agree with what’s being reported in the European news. I don’t think we will see the regulation this year. Perhaps in the course of 2015. Then we’ll have an intermediary period during which the old law still applies, and that will be a period of two years. If worst comes to worst we will not see any regulation entered into force before 2018”. According to Leupold, the real issue at stake now is not so much the EU commission, or the people who drafted the regulation, but rather the Council of Ministers which is somehow blocking its progress. “There’s still some uncertainty on what the right approach should be. Do we really have to focus so strongly on the protection of the European citizens and their personal data, or isn’t it so that the free flow of data across borders is an economic factor which must be taken into account so as not to put up hurdles for ecommerce? That’s still hotly debated, and that’s the reason why this is not moving on.”

Next: How to prepare for what is coming

Previous: The enforced Data Privacy Officer – revenue generation for lawyers?

CREDITS

Dr. Andreas Leupold LL.M.

IT-Law, Outsourcing, Cloud Computing, Data Protection & Data Security.

Munich, Germany

David Snead

Internet Attorney and co-founder of Internet Infrastructure Coalition

Washington D.C. Metro Area

Paolo Balboni

Founding Partner at ICT Legal Consulting

Milan Area, Italy