A timeline towards the publication of the new EU General Data Protection Regulation is a crucial factor for companies looking for EU wide data protection compliance and perhaps new opportunities of data processing. The current activities of the respective committee give an idea of when the harmonised set of rules will be applicable in the member states.
The discussions around the much-anticipated EU General Data Protection Regulation receive more and more attention in the european member states as a timeline for the next steps is being published. In March 2013 the 3133 amendments (find the last ones 2951-3133 here) to the European Commissions Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) were first considerated by the Committee on Civil Liberties, Justice and Home Affairs (LIBE). The LIBE is in charge of most of the legislation and democratic oversight for policies linked to the transformation of the European Union in the area of freedom, security and justice.
The schedule after the first consideration of the 3133 amendments is supposed to be as follows:
- 28/29 May 2013 – Orientation vote in LIBE Committee,
- from June 2013 on – Negotiations between European Parliament, Council and Commision (Trilogue) depending on progress in the Council of Ministers,
pursuant to the rapporteur of the LIBE Jan Philipp Albrecht. Furthermore Article 91 of the Regulation gives important information about the entry into force and application of the new set of rules:
- “1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
- 2. It shall apply from [two years from the date referred to in paragraph 1].”
Assuming a publication in 2014, member states will apply the same data protection level presumably in the year 2016.
Some main topics
Preservation of the high data protection standards
Concerns arise whether the Regulation could lower data protection standards in the view of some member states. Germany for instance is in favor of the institution of a corporate data protection officer compulsory across Europe. The advantages of this self-regulation approach is a main discussion point. The responsabilty of the data controller for the data processing in a company remains regardless the size of the company.
Race to the bottom
A harmonisation of the data protection level for everybody might nevertheless lead to the situation, that companies placing their main establishment in a country with weak data protection standards, have strong advantages. Its well known that not every data protection supervisory authority in the member states has the same staffing level and ressources for considerable investigation and enforcement actions. It is quite unclear whether a thought European Data Protection Board could establish a foreseeable data protection environment and preserve a race to the bottom.
One-stop-shop but no group privilege
The Regulation currently does not address the so much wanted group privilege for companies working in group structures across Europe. Nevertheless companies can take advantage of the one-stop-approach and discuss transborder data flow issues with only one supervisory authority in the country of their main establishment.