Data bill enters final leg of state-level talks
Latvia’s EU presidency is aiming to wrap up years of talks on the EU’s data protection reform within the next few weeks.
First proposed at the start of 2012, the data protection bill has already gone through the European Parliament, which adopted its version in March last year.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The plan is to have member states adopt theirs on 15 June so that negotiations can finally kick off with the parliament - but it is an ambitious task.
Four chapters were closed last year. Italy and Greece, the last two EU presidencies, managed to close only three.
Agreements have been reached on rules for public authorities, data transfer rules to countries outside the EU, rules on processors, controllers, and data protection officers, as well as rules on archiving and statistics for history and research purposes.
They also designated the lead data protection authority, charged to resolve disputes, as the one based in the country of the company’s main establishment.
The Latvian EU presidency, for its part, was handed eight chapters to resolve when it first started at the beginning of the year.
So far, it has managed to close only three.
Among the most contentious issues resolved include the so-called ‘right to be forgotten’, now called the ‘right to erasure’
What’s left?
Five chapters remain to be wrapped up in the next few weeks.
“We still think this is a reasonable aim and feasible,” said one EU diplomat.
The remaining chapters include issues on data subject rights, sanctions, definitions, final provisions, and the complex legal interpretations of implemented and delegated acts (secondary legislation).
The diplomat said talks have taken so long because of the different cultures and the complexity of the regulation itself.
Scandinavian countries, noted the source, argue, for instance, that the right to public information can prevail over privacy claims whereas Germany, the Netherlands, or Austria would be unlikely to take this line of argument.
Pressure to get the agreement sorted is mounting because of the uncertainties it creates for businesses.
Tough talks ahead with the European Parliament
Important differences have already emerged between what the European Parliament wants and what the member states have agreed.
For one, there is consent.
The parliament wants consent to process personal data to be explicit with member states wanting a more ambiguous option.
Second, member states want a risk-based approach to data protection, which would see risk quantified through things like impact assessments.
But detractors argue privacy is a fundamental right and cannot be measured in a uniform manner.
The parliament says IT systems should design their services “in a data-minimising way and with the most data protection-friendly pre-settings".
Member states also say data protection officers, used to make sure a company properly complies with the reformed rules, should be optional. The parliament says a mandatory appointment of such officers should depend on the amount and relevance of data processed by the company.
Another source of contention between the two EU institutions will over sanctions for rule-breaking.
Member states want sanctions to be up to two percent of global annual turnover but the parliament is suggesting as much as five percent.