The review of the old EU data protection rules has been in the Commission’s agenda for years. EU Justice Commissioner Viviane Reding made the overhaul of the current legislation a priority of her mandate, but her plans to go ahead with the review have been regularly delayed.
The current attempt is no exception. As soon as Reding opened her legislative proposal to the usual internal debate between different departments of the EU executive, several critical voices started to be heard.
Six departments gave a negative opinion of the proposal, forcing Reding to quickly re-write many of the key elements included in her original text.
Reding still confident of January deadline
Despite the controversy, people close to Reding say that most of the pending issues have been solved, and confirm that the new legislative package will be presented on 25 January, as initially foreseen.
The package will include a communication, a regulation, a directive and a technical report.
The only stumbling block appears at the moment to be the staunch opposition posed by Malmström who is said to be in favour of delaying the proposals.
Commission officials argue that Malmström’s position may be dictated by her delicate negotiations with the United States on data transfers, a subject which has caused heated debates in Brussels.
The directive on data protection deals with data transfers. Moreover, Reding is pushing to extend the application of the new EU rules to all companies operating in the single market, regardless of their origin – a move that American internet giants openly dislike.
What is personal data?
The initial proposal included a definition of personal data which was deemed too broad by many Commission officials. The new rules are meant to impose a stricter application of the right of giving consent to have personal data used. Companies will be forced to obtain “an informed consent” from users each time their data are used.
Defining what personal data is clearly assumes a new importance in this context. Reding initially included some cookies in her definition of personal data, in line with a widespread position among data protection authorities.
Indeed, cookies are often able to track internet surfers and therefore can provide information that may indirectly be useful to identify users. At the moment, negotiations are still ongoing over what to do with cookies, although the subject is partially regulated by the e-privacy directive.
Notification of data breaches
Another sticking point concerns the provision of imposing a 24-hour notification obligation in case of data breaches, which happens when personal data are stolen by unauthorised parties. Recent cases involved Sony and Apple, which lost data of huge numbers of customers.
The original proposal has been however watered down because many in the Commission argued that it would have posed a “disproportionate burden” on companies.
Moreover, it would have been inconsistent with the e-privacy directive which requires, in case of data breaches, a notification “without undue delay.” Companies subject to this more vague rule could have benefited from an unfair competitive advantage against firms which fall under the stricter data protection regulation.
The new, but not definitive, text maintains the 24-hour term but adds the non-marginal clause “where feasible”, therefore loosening the obligation.