With the passing of the draft EU Data Protection Regulation (the “Draft”) by the LIBE committee of the EU Parliament on 21 October, the negotiations between EU member states have begun in earnest. The Draft includes a number of controversial changes to the EU data protection framework, including suggestions problematic for the US.
Before negotiations over the substantive content even began, the Draft has run into its first roadblock: a disagreement over timing.
Initially, when the Draft was approved, there was a broad push to ensure it was passed before EU parliamentary elections in May 2014. Some member states, in particular the UK, have long been uncomfortable with the tightening up of data protection laws. They have argued that this is an artificial deadline which does not allow for the proper consideration of perceived flaws in the Draft or of the implications for business. They are also concerned that this is driven by a political knee-jerk reaction to recent allegations of mass surveillance by US authorities on EU citizens. This has been a constant refrain of supporters of the Draft, such as Jan Albrecht of the LIBE Committee.
The European Council has the difficult task of aligning the interests of the 28 Member States into a coherent position. It added to the uncertainty on 25 October by issuing a statement saying that the “timely adoption” of the regulation would be “essential for the completion of the Digital Single Market by 2015”.
Left open to interpretation, as it is, this statement has been construed by some as a dilution of the May 2014 deadline. Meanwhile others, such as Viviane Reding, Justice Commissioner of the EU, have said the statement reaffirms the deadline. The very fact that the statement was so ambiguous demonstrates that disagreements exist within the Council and that the Draft has a long way to go before it becomes law.
This comes at a critical point, just as transatlantic tensions over alleged surveillance of EU citizens by US authorities reach new heights.