Commission strife risks delaying data protection overhaul

Germany's incoming cyber agency is based on the US Department of Defense's DARPA research agency, which has existed since the 1950s.

This article is part of our special report Data protection.

A dire debate within the European Commission risks delaying once more the publication of a comprehensive package on the review of data protection rules. After significantly working out the original text, the only remaining opponent seems to be EU Home Affairs Commissioner Cecilia Malmström.

The review of the old EU data protection rules has been in the Commission’s agenda for years. EU Justice Commissioner Viviane Reding made the overhaul of the current legislation a priority of her mandate, but her plans to go ahead with the review have been regularly delayed.

The current attempt is no exception. As soon as Reding opened her legislative proposal to the usual internal debate between different departments of the EU executive, several critical voices started to be heard.

Six departments gave a negative opinion of the proposal, forcing Reding to quickly re-write many of the key elements included in her original text.

Reding still confident of January deadline

Despite the controversy, people close to Reding say that most of the pending issues have been solved, and confirm that the new legislative package will be presented on 25 January, as initially foreseen.

The package will include a communication, a regulation, a directive and a technical report.

The only stumbling block appears at the moment to be the staunch opposition posed by Malmström who is said to be in favour of delaying the proposals.

Commission officials argue that Malmström’s position may be dictated by her delicate negotiations with the United States on data transfers, a subject which has caused heated debates in Brussels.

The directive on data protection deals with data transfers. Moreover, Reding is pushing to extend the application of the new EU rules to all companies operating in the single market, regardless of their origin – a move that American internet giants openly dislike.

What is personal data?

The initial proposal included a definition of personal data which was deemed too broad by many Commission officials. The new rules are meant to impose a stricter application of the right of giving  consent to have personal data used. Companies will be forced to obtain “an informed consent” from users each time their data are used.

Defining what personal data is clearly assumes a new importance in this context. Reding initially included some cookies in her definition of personal data, in line with a widespread position among data protection authorities.

Indeed, cookies are often able to track internet surfers and therefore can provide information that may indirectly be useful to identify users. At the moment, negotiations are still ongoing over what to do with cookies, although the subject is partially regulated by the e-privacy directive.

Notification of data breaches

Another sticking point concerns the provision of imposing a 24-hour notification obligation in case of data breaches, which happens when personal data are stolen by unauthorised parties. Recent cases involved Sony and Apple, which lost data of huge numbers of customers.

The original proposal has been however watered down because many in the Commission argued that it would have posed a “disproportionate burden” on companies.

Moreover, it would have been inconsistent with the e-privacy directive which requires, in case of data breaches, a notification “without undue delay.” Companies subject to this more vague rule could have benefited from an unfair competitive advantage against firms which fall under the stricter data protection regulation.

The new, but not definitive, text maintains the 24-hour term but adds the non-marginal clause “where feasible”, therefore loosening the obligation. 

In a recent comment posted on her blog, EU Digital Agenda Commissioner Neelie Kroes made clear her thoughts about the overhaul of data protection: “Rules must take account of the impact on businesses as well as on citizens. And we can’t afford to stifle innovative entrepreneurs and new ideas. If we are too rigid and controlling, we will serve no-one’s interests. Because, faced with too many restrictive rules and obligations, would-be data controllers may just take their bright ideas outside theEU – or give up all together,” reads her post.

Monique Goyens, director general of the European Consumers’ Organisation (BEUC), commented: “The current framework has stood the test of time well because it is based on flexible definitions, is technology neutral and established valuable regulatory principles. Most importantly it laid down strong safeguards of consumers’ personal data. In our eyes where it has fallen down is more to do with poor compliance by companies and ineffectual enforcement of its provisions. There is no use in having robust written rights unless they are put to work.”

“The revision affords a chance to make it future-proof, as it will be in force for the next 15 years or so. The proposal will stand or fall based on how flexible it is in responding to developing technologies and how it strengthens consumers’ rights,” she said. 

According to the Business Software Alliance the new framework needs to be made future-proof in a fast-changing digital environment.

"To do that, it needs to be technology-neutral and focus on substantive outcomes rather than prescriptive requirements and procedures. In its current form, the draft risks hampering the competitiveness of Europe’s digital economy and severely stunting the growth of important new markets like cloud computing. It furthermore contains unnecessary burdens for Europe’s ICT companies – especially SMEs – without bringing added protection to citizens. The Business Software Alliance believes legislation should balance the European community’s shared interests in protecting data, promoting innovation, and enabling a free flow of information,” said BSA's director, for European government affairs, Thomas Boué.


Existing European Union rules on data protection were adopted in 1995, when the full potential of the internet had not yet been realised. According to the EU, in 1993 the internet carried only 1% of all electronic information, while by 2007 the figure was more than 97%.

While the growing number of tailored products and services offers increased benefits for consumers, it also relies enormously on the use of personal data.

Private information can range from financial data, such as credit card numbers or bank account deposit details, to sensitive information concerning health conditions or sexual and political orientation. Many consider also location data or online identifiers, such as cookies, as personal data.

The possibilities for misusing or abusing this information are infinite. In the long process to review current rules, the Commission has already flagged several ideas on how to improve data protection, through increased awareness of the data used and possible breaches of personal information; introduction of the right to be forgotten; and clearer methods to require authorisation from data holders to deal with their personal information.


  • 25 Jan. 2012: Possible publication of data protection package

Subscribe to our newsletters