Companies say that they would much rather have to comply with a very onerous set of requirements than comply with 27 different sets, the lawyer said in an interview with EurActiv.
“But they need to be careful what they wish for, because the full implications are now sinking in: this is not going to be harmonisation at a low level but at a higher level, and in a number of countries – like the UK and Ireland, where they have traditionally had a hands-off approach – are suddenly faced with the notion of German-style data protection rules coming into force, and this raises all kinds of issues,” warned the Hunton & Williams lawyer.
According to Kuner, IT and online companies have caught on to the idea of new rules, but the ‘old economy’ companies are likely to be left behind as they struggle to implement the new legislation.
The package proposed by the Commission also has huge implications for governments and regulatory authorities, and that is being ignored in the public discussion, argues Kuner.
“In many ways ordinary public authorities are far behind the private sector in terms of their sophistication in dealing with IT and data processing. Their budgets are being cut and they do not have the opportunities to go out and raise business and money as the private sector does, so in a way they are going to be squeezed even harder than the companies in their efforts to keep within the rules,” the lawyer added, taking as an example rules on police [data protection] co-operation.
At the same time, there are concerns that the proposal will be watered down. Kuner explained that the proposals that would affect the private sector most are in the form of a regulation, which, met by opposition, could be reconverted into a directive. That would need to be implemented by EU countries, which would adapt it to their national needs. If it remains a regulation, then opposition could also trigger more exemptions and de facto watering down the initial proposals.
“There are already some articles [in the draft regulation] calling on the member states to take their own action, some in-built subsidiarity, and this could be extended in the final version, diluting the effects of the regulation,” said Kuner.
Opposition is also building outside Europe’s borders. The United States wants to improve its data protection framework by including some ideas from Europe, but Washington has said that the proposals are not helpful.
“The Commission is not going to prioritise harmonising EU law with Chinese or US rules. It is great to have international harmonisation, but it is a lower priority than getting the rules straight in Europe. Justice Commissioner Viviane Reding and her colleagues are keen for the EU to be a leader in privacy regulation and are pursuing their agenda aggressively,” argued Kuner.
Christopher Kuner was speaking to Jeremy Fleming-Jones