David Smith the UK’s Deputy Commissioner of the Information Commission has commented on the progress of the Revise European Data Protection Act.
Put simply, the proposals could prove to be one of the biggest changes to data protection this country has ever seen. Against that backdrop it is no surprise that we’ve been monitoring events in Europe closely, looking at how the initial reform proposals, published by the European Commission in January 2012, might be brought into law.
The process by which this proposal might become UK law is not a simple one, as our overview of the whole process shows. The crucial next step is for the European Parliament and the Council of the European Union to look at this separately before coming together to approve a final text.
The European Parliament is where the MEPs sit, some 736 of them from across Europe. Much like our own Parliament, the MEPs will sit on several committees. There are five committees directly involved in looking at the data protection reforms: JURI (legal), ITRE (industry), IMCO (internal market and consumer protection), EMPL (employment) and LIBE (civil liberties). LIBE is the ‘lead’ committee. All committees will submit their own amendments before negotiating a consolidated Parliament view which is expected in late April.
While that is happening, the council are also looking at the reforms. The council is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies. The subgroup of the council dealing with this issue is called DAPIX (Data Protection and Information Exchange) and is chaired by the Presidency of the Council – currently Ireland. The ICO has a key role in advising the Ministry of Justice throughout these discussions.
At the time of writing, the parliamentary committees are well advanced in considering their compromise amendments on both parts of the package. The council, however, has not finished its first round of amendments. Nevertheless, with a timetable to adopt the new rules by the end of June – the end of the Irish Government’s presidency – this is one of the top priorities. The presidency is scheduling in more meetings to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track.
Once both the parliament and the council have their consolidated views in what is known as the ‘First Reading’, they will need to negotiate, possibly over the summer if things go well, to get an agreement on the text. Failing this, they will move to the ‘Second Reading’ and further negotiations.
Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law. The proposal is for a general regulation with a directive specifically for the criminal justice sector. However there is speculation that this directive will be put on the back burner. This coupled with a move, which we and other data protection authorities are resisting, to confine the regulation to the private sector and develop a new directive to cover the public sector leave the outcome uncertain. Currently both the proposed regulation and the proposed directive allow two years for implementation following their coming into force. However experience suggests that because of its direct effect, implementation of any regulation will, in practice, come more quickly than implementation of any directive.
In total, this means that the reform process will have taken around six years since the European Commission started its reflections on the matter. While this sounds like a long time we must remember that there are 27 Member States around the negotiating table; that’s at least 12 more than those negotiating our current framework which resulted in the Data Protection Act 1998! Even then the timescale is ambitious. Not many people expect agreement in June this year, but there is an imperative to get a package adopted by 2014 when the European Parliament and the commission are due for re-appointment.
Crucially, the ICO has been involved throughout, and from several angles. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.
We recently published some of our thoughts on the latest developments which we passed to MEPs and other stakeholders. This builds on our initial analysis which we published last year to provide a core reference point explaining our views on the reforms.
In summary the Act is coming in 2013 but it is imperative that the Act comes because at the moment there are so many things missing that are essential for example mandatory disclosure of breaches and compulsory data officers for all companies over 250 employees.
Lets hope they resolve it soon.