Who: Civil Liberties, Justice & Home Affairs Committee of the European Parliament (“LIBE”) and the European Council
Where: Brussels
When: October 2013
What happened:
In the space of just 5 days, EU data privacy law reforms took one step forward, then two steps back.
First, after weeks of negotiations in windowless rooms, it seemed that with one bound, the much delayed process of agreeing reforms to Europe’s data protection laws was back on track.
On 21 October 2013, the powerful LIBE published a revised draft “compromise package” Regulation. Some criticised it as in some respects unworkable, but the general consensus seemed to be that a reasonably workmanlike job had been done to blunt some of the sharper edges of the earlier draft. From here, it was felt, Euro MPs, the European Counsel and the European Commission should be able to push on in their “trialogue” discussions, knock heads together and complete the final negotiation rounds before all bets were off in Spring 2014 when Euro MPs and Commissioners stood down for fresh elections.
Marketers scrutinised the new draft and took some crumbs of comfort. Although many of the eye-watering changes were still in place, others that had caused sleepless nights had lost some of their sting.
At least one leading data protection expert expressed confidence that all would be resolved on schedule in early 2014.
“By early 2015″ bombshell drops
But then, as pundits, industry bodies and advisers got to grips with the detail of yet another draft, as ever not knowing whether any of these might end up on the statute book, the next bombshell dropped.
At the end of the European Council meeting in Brussels on 25 October 2013, a communique was published with various conclusions. One mentioned the importance of ensuring that various proposed EU measures reached the statute book before the end of the current legislative period, in other words before spring 2014.
There was no mention here, however, of data protection reform. This was in the next conclusion, which read:
“The timely adoption of a strong EU General Data Protection Framework” [is] “essential for the completion of the Digital Single Market by early 2015.”
So there between the lines it was almost plain to see. The conclusion pointed strongly to there being no sign-off until 2015, so with a two year lead-time baked into the draft Regulation, it was going to be 2017 before any new data laws had to be obeyed.
In a press conference PM David Cameron claimed credit for the indication of delay, saying:
“We do need to have a data protection directive in the EU but the current draft would add a lot of cost to businesses. It’s not right, so I made sure there was no false deadline for that one.”
So there things stand, at least at the time of writing, but there could yet be a twist in the tail. EU sources emphasise that the wording of the conclusion still allows for the possibility of introducing the new measure before 2015.
Some changes in the latest draft
In the meantime, just for the record, here are some of the headline provisions of the 21 October 2013 draft which will be of more interest to marketers:
1. fines for breach up to a maximum of the greater of 100m Euros or 5% of global turnover (this was 1m Euros or 2% of turnover in the first draft back in 2011);
2. any company processing personal data of more than 5000 individuals must appoint a Data Protection Officer (threshold was previously 500 employees);
3. although the picture is not clear, it seems possible that profiling for marketing purposes may escape the full rigours of prior explicit consent. The latter is only needed if the profiling leads to “legal effects” or “significantly affects the data subject.”
4. the new “European Data Protection Board” which in reality will be the Article 29 Working Party by another name, will be tasked with producing guidelines on a wide range of areas such as:
• profiling which significantly affects the interests, rights or freedoms of the data subject; and
• methods of verifying consent when processing children’s personal data.
5. a helpful new draft format in which the recitals relevant to a particular Article appear below that Article rather than in the Recitals section at the start. It would be good if this remained the format in the final measure, but sadly this is unlikely;
6. an interesting new approach to presenting privacy policy information in an intelligible and accessible way using standard symbols such as a circle with three figures in it symbolising “No personal data are disseminated to commercial third parties” and a bag of Euros held by a disembodied hand symbolising “No personal data are sold or rented out.”
Why this matters:
Whilst the revised draft Regulation takes significant strides towards the final measure, there can be no doubt that interest in its detailed provisions has waned since the “conclusion” of the European Council harbingered the likelihood of significant delay until 2015. And not without justification.
With over a year of negotiations now still to go, there have to be significant prospects of many more twists and turns in the drafting process. This will undoubtedly mean more opportunities for lobbying by the marketing industry. Whether this will lead to significant rowing back from some of the harsher changes for marketers, however, remains to be seen.