EU data protection regulation

03 July 2015

The progress of the proposed overhaul of EU rules relating to data protection has been far from swift. However the final stage of the negotiations between the EU Commission, EU Parliament and the EU Council has just started, with each having formally adopted a favoured proposed text to take into those trilogue discussions.

If all goes according to timetable, it could be Luxembourg as next holders of the EU Council Presidency which sees a new regulation across the line before the end of 2015, failing which yet another year will pass without agreement. The EU Council's draft, adopted on 15 June, confers greater discretion on business and offers an attractive flexibility in comparison to that of the EU Parliament. Much is still to be agreed: major subjects such as whether consent from individuals to the processing of their data should be express and unambiguous, what discretion businesses have in their assessment of the severity of data breaches before they must be reported, whether every business must have a data protection officer and the all-important question of the applicable level of fines are all yet to be settled, notwithstanding that the overall agreement on this regulation is part of a wider package requiring agreement on a law enforcement directive as well. In summary, progress of sorts and a new phase of discussion has been entered into. Should businesses be doing anything to anticipate the regulation now? The answer remains a qualified, yes. Data compliance is part of a wider suite of matters which require on-going attention and cannot be ignored. It is inherently tied to broader information security considerations and the cyber-risk agenda which no current board director can afford to ignore.