EU Data Protection Regulation Update: Part 1
The following is part one of a two-part Radius series on changing data protection regulations in the European Union. Read part two of the series.
By Stuart Buglass, VP Consulting
Council of the European Union justice ministers met in Brussels this past December, in part to discuss the European Union’s (EU’s) proposed data protection framework. The framework is known as the EU Data Protection Regulation, which is to apply to all EU member states. The Council made some headway on the draft of the Regulation, including setting out general provisions related to the public sector and certain data-processing situations. The Data Protection Regulation, however, is far from finalized. As the Council’s video summary of the event points out, “Because part of the regulations are interlocking, no agreement on any section can be set in stone until the entire package is agreed.”
The EU Data Protection Regulation has been three years in the making already, and the European Commission itself once set a 2014 target for its launch. The delay can be attributed to the inherent complexity of the subject and to the sheer number of member states involved. In addition, some points of conflict have arisen, such as those related to the role of data processors and a single ‘one-stop shop’ (OSS) regulator. At this point, getting the legislation “set in stone” by the end of 2015 is a best-case scenario.
Given this reality, it’s worth reviewing the EU’s current data protection landscape and outlining some of the likely provisions that will be contained in the coming Regulation.
The EU’s Existing Data Protection Landscape
In addition, Directive 95/46 was drafted during a time when only 1% of Europeans used the internet. Understandably, many EU laws that were developed under the Directive do not account for data privacy issues related to social media, cloud computing and other relatively recent technological advancements. Not only can these laws be difficult to follow in practice, they can expose businesses and citizens to risks.
All of this means that the EU Data Protection Regulation now under development is sorely needed. In the meantime, businesses operating in EU member states must comply with various existing data protection laws, while also preparing for the common standard that will be in place when the EU Data Protection Regulation is finalized.
In part two of this series, I’ll discuss the primary aims of the EU Data Protection Regulation reforms, along with some recent data protection case rulings in EU member states.