When Will the New European Data Laws Come In?

One of the most frequent questions that we have at the moment is about the timetable for Europe's changes to data protection laws. Needless to say, there is no definite answer. However, the path forward may recently have become just a little clearer.

The History Behind the Proposals

The EU first brought in data protection laws in 1995. Many European countries had had their own data protection laws before that time, but the 1995 Directive was an attempt to add an element of harmonization to those laws across Europe and to set minimum standards for personal data protection which would apply across the EU. Since this was a Directive (as opposed to an EU Regulation) law-making and enforcement was left to each individual EU country.

In January 2012, the European Commission proposed a new data protection Regulation to replace the 1995 Directive, which it said, was no longer fit for purpose. They proposed a Regulation this time around ' one law applying across the whole of the EU in a uniform way.

What Has Happened Since?

It is fair to say that progress since 2012 has been slow. The proposals are wide-ranging and consequential ' the original 2012 draft had fines of up to 2% of global annual turnover. More recent proposals have tried to increase the penalty to 5%. More than 3,000 amendments have been proposed to the Regulation.

Recently, the lack of progress has been criticized by members of the European Parliament and also, in February, by Viviane Reding, the former Vice President of the European Commission, who was one of the authors of the draft Regulation. Some may say that politicians like Ms. Reding share the blame. The proposals were always too one-sided to achieve consensus. Onerous and poorly thought-out proposals like the reporting of security breaches 'without undue delay and, where feasible, not later than 24 hours after having become aware of [the breach]' were never likely to pass through quickly on a unanimous basis.

The wording of much of the proposed Regulation was clumsy, and too many powers were reserved to the Commission. I wrote my first blog on the proposals on Jan. 25, 2012, the day the proposals were first announced. I said then that the Commission's timetable was 'perhaps a little optimistic.' Even then it was clear that there would be considerable opposition to some of the proposals, especially when elements of the Regulation had previously been rejected.

The Dangers of Uncertainty

One of the difficulties in this process is of course the fact that businesses need certainty. Some businesses have grown tired of hearing about the new proposals and are doing nothing. That is unlikely to be a safe solution. At the same time, we know that the contracting process is becoming ever more difficult. For example, we have seen an agreement from a large UK state enterprise that included a clause to say that if new data protection laws came in during the currency of the contract, they would have the right to unilaterally vary the agreement between the parties to take account of any changes they, in their absolute discretion, thought were necessary. Whether or not an agreement like that is legally enforceable this is clearly an area of risk given that a number of outsourcing and services provision agreements being signed currently will extend for a period beyond the date when the new law comes in.

Other businesses seem to be waiting for the Regulation too. Cyber insurance is clearly a real area of interest and there is a part of the insurance industry that is waiting for the new data breach reporting obligations for the metrics it believes it needs to price policies. They too will have to look for other solutions if they want to write policies in the next two or three years.

There are risks in predicting the future and organizations large and small will need to take special care with any contractual arrangement that could still be in force after the new law comes in.

What Does the Current'Timetable Look Like?

David Smith, the Deputy Information Commissioner and Director of Data Protection in the UK, wrote a helpful personal blog in February that gives us some indication of how much work remains to be done before the new law comes in. See, 'Three Years On ' ' And Still Waiting for Reform.' Mr. Smith pointed out (as we have done repeatedly) that the final version of the Regulation is by no means clear, and that there is little utility in studying the detail of some of the subsequent 're-drafts' that have been proposed by various parties since the 2012 draft. He feels that we will still be left with a Regulation rather than the lesser alternative of another Directive. A Directive would give member states flexibility, but would likely lead to delays and inconsistency as it would be up to each member state to produce their own version of the law.

Mr. Smith seems to think that the earliest time for the end of discussions between the various EU organizations would be the end of 2015, but that 'agreement in the first half of 2016 might be a more realistic prospect.' The European Commission previously committed to a two-year period for implementation, which would mean a start date for the Regulation of 2018.

Mr. Smith has also drawn attention to an added complication, which is that the Regulation is supposed to be agreed alongside a parallel piece of draft legislation consisting of a Directive specifically focused on data protection concerning law enforcement and justice. This is apparently the subject of even more political disagreement at the highest EU level. So final adoption of the Regulation may be even more of a hostage to fortune.

As a result, the period of uncertainty is likely to remain for some time yet. Definitive answers remain in abeyance, but in the meantime, there's a real need for businesses to take proper precautions in their contracts and keep up the preparatory work for some aspects of the law that we know are likely to come in.

Jonathan Armstrong, a member of the Board of Editors of our sister newsletter, The Corporate Counselor, is a commercial lawyer with Cordery Compliance in London, where he focuses on regulatory compliance, processes and investigations. He can be reached at [email protected].

One of the most frequent questions that we have at the moment is about the timetable for Europe's changes to data protection laws. Needless to say, there is no definite answer. However, the path forward may recently have become just a little clearer.

The History Behind the Proposals

The EU first brought in data protection laws in 1995. Many European countries had had their own data protection laws before that time, but the 1995 Directive was an attempt to add an element of harmonization to those laws across Europe and to set minimum standards for personal data protection which would apply across the EU. Since this was a Directive (as opposed to an EU Regulation) law-making and enforcement was left to each individual EU country.

In January 2012, the European Commission proposed a new data protection Regulation to replace the 1995 Directive, which it said, was no longer fit for purpose. They proposed a Regulation this time around ' one law applying across the whole of the EU in a uniform way.

What Has Happened Since?

It is fair to say that progress since 2012 has been slow. The proposals are wide-ranging and consequential ' the original 2012 draft had fines of up to 2% of global annual turnover. More recent proposals have tried to increase the penalty to 5%. More than 3,000 amendments have been proposed to the Regulation.

Recently, the lack of progress has been criticized by members of the European Parliament and also, in February, by Viviane Reding, the former Vice President of the European Commission, who was one of the authors of the draft Regulation. Some may say that politicians like Ms. Reding share the blame. The proposals were always too one-sided to achieve consensus. Onerous and poorly thought-out proposals like the reporting of security breaches 'without undue delay and, where feasible, not later than 24 hours after having become aware of [the breach]' were never likely to pass through quickly on a unanimous basis.

The wording of much of the proposed Regulation was clumsy, and too many powers were reserved to the Commission. I wrote my first blog on the proposals on Jan. 25, 2012, the day the proposals were first announced. I said then that the Commission's timetable was 'perhaps a little optimistic.' Even then it was clear that there would be considerable opposition to some of the proposals, especially when elements of the Regulation had previously been rejected.

The Dangers of Uncertainty

One of the difficulties in this process is of course the fact that businesses need certainty. Some businesses have grown tired of hearing about the new proposals and are doing nothing. That is unlikely to be a safe solution. At the same time, we know that the contracting process is becoming ever more difficult. For example, we have seen an agreement from a large UK state enterprise that included a clause to say that if new data protection laws came in during the currency of the contract, they would have the right to unilaterally vary the agreement between the parties to take account of any changes they, in their absolute discretion, thought were necessary. Whether or not an agreement like that is legally enforceable this is clearly an area of risk given that a number of outsourcing and services provision agreements being signed currently will extend for a period beyond the date when the new law comes in.

Other businesses seem to be waiting for the Regulation too. Cyber insurance is clearly a real area of interest and there is a part of the insurance industry that is waiting for the new data breach reporting obligations for the metrics it believes it needs to price policies. They too will have to look for other solutions if they want to write policies in the next two or three years.

There are risks in predicting the future and organizations large and small will need to take special care with any contractual arrangement that could still be in force after the new law comes in.

What Does the Current'Timetable Look Like?

David Smith, the Deputy Information Commissioner and Director of Data Protection in the UK, wrote a helpful personal blog in February that gives us some indication of how much work remains to be done before the new law comes in. See, 'Three Years On ' ' And Still Waiting for Reform.' Mr. Smith pointed out (as we have done repeatedly) that the final version of the Regulation is by no means clear, and that there is little utility in studying the detail of some of the subsequent 're-drafts' that have been proposed by various parties since the 2012 draft. He feels that we will still be left with a Regulation rather than the lesser alternative of another Directive. A Directive would give member states flexibility, but would likely lead to delays and inconsistency as it would be up to each member state to produce their own version of the law.

Mr. Smith seems to think that the earliest time for the end of discussions between the various EU organizations would be the end of 2015, but that 'agreement in the first half of 2016 might be a more realistic prospect.' The European Commission previously committed to a two-year period for implementation, which would mean a start date for the Regulation of 2018.

Mr. Smith has also drawn attention to an added complication, which is that the Regulation is supposed to be agreed alongside a parallel piece of draft legislation consisting of a Directive specifically focused on data protection concerning law enforcement and justice. This is apparently the subject of even more political disagreement at the highest EU level. So final adoption of the Regulation may be even more of a hostage to fortune.

As a result, the period of uncertainty is likely to remain for some time yet. Definitive answers remain in abeyance, but in the meantime, there's a real need for businesses to take proper precautions in their contracts and keep up the preparatory work for some aspects of the law that we know are likely to come in.

Jonathan Armstrong, a member of the Board of Editors of our sister newsletter, The Corporate Counselor, is a commercial lawyer with Cordery Compliance in London, where he focuses on regulatory compliance, processes and investigations. He can be reached at [email protected].