Skip to main content

Q: Have we just passed a new EU data protection law? A: Not yet!

Phil Lee
For those of you keeping tabs on EU data protection developments, today's exciting news was that the Council of the EU has reached a "general approach" on Europe's proposed General Data Protection

For those of you keeping tabs on EU data protection developments, today's exciting news was that the Council of the EU has reached a "general approach" on Europe's proposed General Data Protection Regulation, with the twin aims of enhancing Europeans' data protection rights and increasing business opportunities in the Digital Single Market.

And what a lot people have had to say about it! Some say it's going to "kill off Europe's cloud computing industry" (story here) while others describe it as "a brazen effort to destroy Europe's world leading approach to data protection and privacy" (story here). It's rather remarkable to note that both industry and civil liberties groups seem equally downcast about the new proposals, albeit for entirely opposing reasons.

But what these prophecies of doom all overlook is that we don't have a new data protection law yet. In fact, far from it - we're still only at the draft stage! And until we have agreed the final text of the new law, it's very difficult to predict where exactly we will land on many of the issues.

For those of you struggling to understand timelines and where exactly we are in the process, here's how things stand:

1. The European Commission (in simple terms, the executive branch of EU government) proposed a new EU data protection law in 2012 - this is the "General Data Protection Regulation".

2. The EU Parliament (for our US audience, think the House of Representatives) and the Council of the EU (think the US Senate) each then got to review and table amendments to the draft legislation through various committee proceedings - the aim being for each institution to come up with its own preferred draft of the law.

3. The EU Parliament put forward its proposed "version" in March 2014, favouring strict protection of individuals' rights. Today's development is that the Council of the EU has finally (and reluctantly) put forward its own proposed "version", with a greater leaning towards risk-based application of data protection rules. This some 3 years after the law was originally proposed by the Commission - progress has not been quick.

4. What happens next is that the Parliament, the Council and the Commission will now enter three-way "trilogue" negotiations (explained here). These are scheduled to begin on 24 June and their ultimate aim is to produce a final negotiated text that all three institutions agree on. Then, and only then, will the General Data Protection Regulation become law.

5. But, wait a minute! Even when the new law does get adopted, it's unlikely to take effect for a further two years (unless this two year lead-in period is negotiated out during the trilogue). So, even assuming things go swimmingly and the three institutions agree on the language of the law this year, then it is still very unlikely to become effective before the middle of 2017 - and, given the rate of progress to date, 2018 frankly seems more realistic.

What all this means is that today was certainly a big day for EU data protection, but there's still a long road to travel down. There are some things that seem almost certain to make it into the final text (application of EU data protection rules to any worldwide business servicing EU citizens, extension of liability to data processors, some notion of a one-stop shop, greater fines etc.), but many that still remain open to debate (mandatory DPOs, the role of consent, etc.).

Stay tuned, and we'll keep you posted once we have a better assessment of the likely final text of the law. In the meantime, enjoy speculating along with everyone else but remember that, until the law is adopted, it's just that - speculation!

Sign up to our email digest

Click to subscribe or manage your email preferences.