Data Protection Regulation: Is it On or Off?

November 1, 2013

Following last week’s European Summit Meeting of Heads of State, many commentators have assumed that the Data Protection Regulation will fail to meet the June 2014 deadline; I am not so sure of this. Let me explain why.

As you know, the Regulation passed the European Parliament hurdle two weeks ago; it is waiting now for the Council of Ministers meeting in December to see what further progress it will make.

Before the October Summit, David Cameron arrived in Brussels with a list of European Commission ‘red-tape’ legislation. Top of his list was the Commission’s Data Protection Regulation, which was eagerly proffered as an example of something threatening disproportionate additional costs, particularly for small firms.

Because of these discussions, mention of the Data Protection Regulation appeared in the final communique:

‘It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection framework and the Cyber-security Directive is essential for the completion of the Digital Single Market by 2015.’

Many commentators have thus assumed that the 2015 date means that the Data Protection Regulation is dead. After-all ‘completion by 2015’ can be later than the June 2014 deadline for the Regulation.

However, I will point out the following: Spain, France and Germany (three of the large countries with Qualified Majority Voting clout) have all just called in US ambassadors as the National Security Agency (NSA) have tapped the electronic communications of nearly two hundred million citizens, including the respective Head of State (who all appear to be a bit miffed, to say the least). These States are also not keen on the ‘understanding and accommodating’ position of the British Government, mainly because GCHQ is seen to be in cahoots with the NSA.

Then there are the allegations that the NSA tapped Vatican communications, thus agitating the religious majority in Europe. (As an aside, it is really difficult to see why such interference could possibly be legitimate in national security terms. Even dictator Josef Stalin recognised this. When asked, in the Second World War, whether he was worried about the threats arising to the Soviet Union’s national security arising from the Vatican, Uncle Jo answered thus: ‘the Pope. How many divisions does he have?’.)

I have already reported that Mrs Reding is going around Europe (ignoring the unhelpful Brits and Irish) and exploring solutions with ‘cooperative’ countries. Most of Europe is not keen on Irish tax policies which attract the likes of Google et al, and do not like the idea of having a flexible Data Protection Regulation, policed by a small and under-resourced Irish Data Protection Authority.

Finally, at a meeting at the Ministry of Justice about two weeks ago, civil servants who are in charge of the UK’s negotiating position said that the crunch meeting is the Council of Ministers meeting in the first week in December (around December 6th). This is when voting on the Regulation is expected to happen.

So is it possible that, after that meeting, the death of the Regulation is announced. Equally possible is that Mrs Reding’s efforts, in combination with the backlash against NSA privacy busting peccadilloes, could produce an unexpected result.

My head says that, with all the varied disagreements over the Regulation, the Regulation will be delayed. However, my political antennae are picking up signals that Europe’s politicians might want to make a collective statement and, thanks to the NSA privacy-busting exploits, this Regulation could be in the right place at the right time to make it.

And because the Regulation does not apply to national security, there is no risk to national security when making this statement.

Chris Pounder is a Director of Amberhawk Training Limited, a company  which delivers information law training, including that required to meet the requirements of the ISEB qualification in data protection. He has been involved with data protection since the Lindop Report in 1978 and writes the ‘Hawktalk’ blog on privacy issues from which this article is taken: chris.pounder@amberhawk.com