EU leaders have vowed to agree on a new data protection regulation this year. Less than a month before the European Commission, Parliament and Council meet to negotiate the legislation, Data Protection Supervisor Giovanni Buttarelli says there’s no room for mistakes.
Europe’s current data protection legislation dates back to a directive passed in 1995. Legislators are now set to discuss a package that includes an updated directive. In an interview with EurActiv, Buttarelli said of the regulation, “The reform is likely to last two decades, which is a century today.”
Buttarelli took office as EU privacy watchdog last December, ahead of the data protection changes this year, and a crumbling Safe Harbour agreement with the US on companies’ data transfers from Europe.
The data protection reform contains measures to safeguard privacy and includes fines for companies that break the rules. Upcoming negotiations will also centre on the definition of users’ consent and the terms of when companies can use, store and reuse data for other purposes.
Parliament voted in favour of the reform during a first reading last year, while some member states have been sceptical of the regulation, including its so-called ‘one stop shop’ approach to dealing with data protection complaints.
“There are specificities at national level. But we cannot give too much space to adjustment, derogations, clarifications that can simply reintroduce through the main door what we are throwing out through the window,” Buttarelli said.
“The current discussion about the scope of application for public security, for the public sector, is to be carefully analysed.”
Germany previously opposed expanding rules that apply to companies on citizens’ data privacy to also apply to the public sector. Last week, in Brussels, German Interior Minister Thomas de Maizière said of the public sector clause, “That wasn’t so easy for us Germans to accept, but we’ve done it.”
One stop shop
In March, the European Council announced its ‘one stop shop’ solution to data protection complaints, allowing a European Data Protection Board (EDPB) of national authorities to intervene when cases are referred to it. Lawmakers say that will make it easier for citizens and companies to maketheir complaints to one local authority, and not be forced to travel abroad.
Buttarelli says that setting up the EDPB is the main challenge in coordinating national data protection authorities on cross-border privacy cases.
“The challenge is to find a reasonable mix between the activity of just one body, as it’s entitled to adopt a binding position. But at the same time, to ensure the principle of proximity, meaning the data subject should not be forced to go to the other side of Europe to simply exercise a standard right in his country,” Buttarelli said.
Saving Safe Harbour
The European Court of Justice is expected to reach a decision later this month that could liven up the standstill on the Safe Harbour agreement, which lets American companies operate in Europe, provided they vouch for the security of Europeans’ data they transfer to the US.
Negotiations on changes to Safe Harbour have been stalled amid concerns over the US intelligence agencies’ data collection.
“More than in danger, I see Safe Harbour in dead waters,” Buttarelli said.
“The two deadlines to find an agreement have both expired. May last year, May this year. We are aware of the difficulties, but at the same time, it’s time to have an answer from the US side. On the commercial dimension and on the national security exception.”
Buttarelli believes Safe Harbour should be reformed, and not abandoned for another agreement, since it has made it easier for American companies to do business in Europe.
“Safe Harbour, though not entirely satisfactorily from a European data protection viewpoint, has been playing a role,” Buttarelli said.
“Today, we can’t imagine that the intensive set of transfers of data from Europe to the US could be covered only by consent or by contracts or clauses or by binding corporate rules. This explains why more than 4,000 companies have been making use of Safe Harbour. So if we abandon it, it will be replaced by something else. Why necessarily move to something else when you can simply make the existing safeguards more effective in practice?”
In March, Buttarelli met with legislators during a one-week trip to Washington. He’s planning another trip to Silicon Valley in September “to be a sort of ambassador of European data protection” and “demonstrate that data protection fits into the big data world”.
In California, Buttarelli said, “We will be there to explore an area where technology is developing much more than here in Europe.”
“We’d like to understand how technologies will develop in the next 10 to 15 years. We’d like to prevent problems we many encounter at that stage and make existing rules more future-oriented,” he added.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Trialogue talks between the European Commission, Parliament and the Council on data protection are set to start at the end of June.