EU data protection regulations could be delayed until 2016
UK and business objections could put off implementation of new EU data protection rules
British and business objections could see the implementation of the European Union's data protection regulations delayed until 2016, according to MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill.
The regulations, which will circumvent the usual directive process of implementing EU laws, would carry hefty potential penalties for organisations found to have infringed them. Fines of up to five per cent of turnover or €100m have been proposed, although it is less clear how such penalties would be fairly levied on public sector or charitable organisations.
At a briefing last week, Albrecht said that the regulations, which were first proposed in 2012, had had almost 4,000 proposed amendments as member states sought to either water them down or toughen them up. Indeed, the EU sought to strengthen the regulations following the Edward Snowden revelations in 2013, even though most member states were as responsible for snooping on internet activity as the US National Security Agency (NSA).
According to Albrecht, the UK, France and Germany are all objecting to the proposals, although for different reasons. The UK, for example, objects to the centralisation of power under the EU and would prefer an old-style directive instead. EU privacy campaigners, however, argue that the directive model has led to too much variation in the way in which data protection is handled across the EU's 27 member states.
Albrecht, however, is keen for the regulations to be implemented as quickly as possible. "We don't know if we will make it this year. The European Council really have to run fast if they want to keep to the time scale. We hope we will manage, but if Council will wait even longer it will be very very difficult," his spokesman told SC Magazine.
James Castro-Edwards, a solicitor at PricewaterhouseCoopers Legal, added that the draft regulation was three times the length of the current data protection directive and described it as "a pretty draconian piece of legislation with the high fines, it's also very prescriptive, it's very detailed".
He added that the regulation still requires the agreement of the the three bodies in the European legislative machine - the European Commission, the European Parliament and the European Council - which will, in any case, take time. "There's a lot of optimism about how quickly they can get it through, that's just not realistic," he said.