European Commission Vice-President Viviane Reding gave a speech on 'A data protection compact for Europe' at the Centre for European Policy Studies to mark Data Protection Day on 28 January 2014, calling for "full speed on data protection in 2014."
Reding stated that aiming to complete the proposed General Data Protection Regulation ('the Regulation') by late 2014 would be a "lowest and slowest common denominator approach."
DataGuidance has picked out the key points of her speech.
"Discussions [on the Regulation] are mature. The text is ready. It is just a matter of political will."
The Regulation text was approved, with almost 4,000 tabled amendments, by the European Parliament Committee on Civil Liberties, Justice and Home Affairs ('the LIBE Committee') on 21 October 2013. DataGuidance has covered the LIBE Committee's proposed text in depth
. Since then, the text has been in trilogue discussion between the European Commission, Council and Parliament.
Eduardo Ustaran, European privacy expert, told DataGuidance, "The big question now is whether the process will simply proceed on the basis of the existing drafts or we will go back to the drawing board. […] Being optimistic, I think that it is possible to find a compromise that everybody could live with […] within a year or so."
Anna Fielder, Trustee and Board Chair at Privacy International, said, "Political will is crucial at this stage. The snail pace of the discussions in the EU Council is nothing short of scandalous - one step forward two steps backwards during the last six months of the Lithuanian Presidency. This lack of progress is to the detriment of people's rights."
Christopher Wolf, Partner at Hogan Lovells LLP, commented, "There have been scores of proposed amendments to the Regulation and there are significant open questions about how much of it will work in operation, so it may be overstating things to say that 'the text is ready'."
"One cannot simply use 'national security' as a trump card and disregard citizens' rights."
Directive 2006/24/EC ('the Data Retention Directive') requires telecommunications companies to retain user data for up to two years. The Advocate-General of the Court of Justice of the European Union (CJEU) gave an opinion
on 12 December 2014, that it is incompatible with EU law, though the CJEU has not yet passed judgement. Dr. Paolo Balboni, Scientific Director of the European Privacy Association (EPA), said, "Surveillance should become the exception rather than the rule."
"[For Safe Harbor] to be fully roadworthy, the US will have to service it."
Fielder stated, "The fact is that it is difficult to make a self-regulatory system work in one country that is supposed to conform to strong regulation in another. It seldom works. […] [W]e believe that Safe Harbor should be suspended."
Wolf stated, "The threat of suspension is neither realistic nor productive. The US is working hard to address the EU concerns. Moreover, the elimination of the Safe Harbor will hardly make EU data subjects more protected."
Recent developments in this area include the European Commission's Recommendations
on the Safe Harbor reform, and the LIBE Committee's Draft Report
calling for its suspension.
"We need to turn opportunities into enforceable rights […] for us Europeans; it is essential [that President Obama's] announcements are followed up by legislative action before the summer."
The US Government has agreed to legislate on the NSA issue by summer 2014. President Obama's speech
last week outlined his plans for reform.
"The NSA reform should be taken as a chance to carry out a substantial and shared reform that will better regulate Law Enforcement Agencies' access to citizen data, and relegate surveillance to an exceptional measure regardless of the nationality of individuals," Balboni told DataGuidance.
"One would hope that in evaluating national security access to data that the access by EU countries in the name of national security also is reappraised," Wolf stated.
On the French Data Protection Authority's recent 150,000€ maximum fine awarded to Google: "[T]he fine in France represents 0.0003% of its global turnover. For them, this looks more like pocket money than a fine."
According to the version of the Regulation
voted on by the LIBE Committee, the maximum fine could be up to 100 million € or 5% of global turnover, whichever is higher.
Balboni told DataGuidance, "Proportionality of sanctions is key. However, we should not make the mistake of thinking that high sanctions will be the primary driver of data protection compliance. Streamlined rules and clear enforcement procedures coupled with meaningful incentives for virtuous companies will have to be in place in order to complete a pragmatic and forward-looking reform. In this way, companies would perceive data protection as an asset rather than a mere compliance cost."
Wolf commented, "The absence of any granular guidance on how the proposed fining authority will work threatens to make the fine structure erratic, indiscriminate and unfair. Will every violation be subject to a huge fine? If not, which violations are fine-worthy and which are not? We can't tell under the current proposal."
© 2014 Cecile Park Publishing Ltd. All rights reserved