On January 25th, the European Commission published a proposal for a new data protection regulation to replace the 1995 Data Protection Directive. The 1995 Directive has come under considerable criticism due largely to the significant variation in implementation by the 27 EU member states. While the Commission had announced a review of the Directive in the last few years, the proposal of a Regulation is intended to reduce the myriad approaches across the EU while also updating the rules to reflect such things as social networks, increased and more complex international processing, online behavioral advertising, and breach notification, to name just a few.
The stated goals of the Commission in revamping the data protection rules have for some time included the expansion of an individual’s privacy rights, including the somewhat optimistic ‘right to be forgotten’, and for those subject to the rules, the simplification and consistency of compliance whether it be the use of cloud computing, international data transfer mechanisms, or marketing to European consumers. To those ends, the Commission has proposed the following:
Skepticism about the final product
While there is much to gain from understanding the proposed Regulation and assessing where an individual company’s risks may be from the changes, it is important to remember that the document is styled and remains a proposal. The proposal must still be vetted by the European Council and the European Parliament. While the current draft most likely reflects a certain degree of consensus among EU members, the voting rules of the European Council and the Parliament mean that there will probably be further haggling and modifications in order to achieve the votes necessary for issuance of a final Regulation.
What to do?
With the proposed Regulation figuratively hot off the presses there is much to be digested from the 100 pages or so, in addition to identifying what has changed from the previously leaked version. The US government and international companies will doubtless want to understand how the proposed Regulation may benefit or hinder current and future activities and convey observations through appropriate channels as the Regulation is considered.
In the shorter term, while the Regulation is not likely to emerge precisely as proposed it is reasonable to expect many of the core changes to remain largely intact. We will continue to provide updates as understanding and ‘feedback’ regarding the Regulation continue.