The European Parliament has just announced another delay affecting the vote on its version of the EU Data Protection Regulation. That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest. Although this was sort of expected, optimistic people like me were still hoping that the LIBE Committee would get enough consensus to issue a draft this side of the Summer, but clearly the political will is not quite there. This is obviously disappointing for a number of reasons, so in case the MEPs need a bit of motivation to get their act together, here are a few things that are likely to happen if the new Regulation is not adopted before next year’s deadline:
* Inconsistent legal regimes throughout the EU – The current differences in both the letter of the law and the way it is interpreted are confusing at best and one of the biggest weakness to achieve the right level of compliance.
* Non application of EU law to global Internet players – Thanks to its 90′s references to the ‘use of equipment’, the Directive’s framework is arguably not applicable to Internet businesses based outside the EU even if they collect data from millions EU residents. Is that a good idea?
* Death by paperwork – One of the most positive outcomes of the proposed Regulation will be the replacement of the paper-based compliance approach of the Directive with a more practical focus. Do we really want to carry on spending compliance resources filling in forms?
* Uncertainty about the meaning of personal data – Constantly evolving technology and the increasing value of data generated by our interaction with that technology have shaken the current concept of personal data. We badly need a 21st century definition of personal data and its different levels of complexity.
* Massive security exposures – The data security obligations under the existing Directive are rather modest compared to the well publicised wish list of regulators and, frankly, even some of those legal frameworks regarded as ‘inadequate’ by comparison to European data protection are considerably ahead of Europe in areas like data breach notification.
* Toothless regulators – Most EU data protection authorities still have very weak enforcement powers. Without going overboard, the Regulation is their chance to make their supervisory role truly effective.
The need to modernise EU data protection law is real and, above all, overdue. A bit of compromise has to be better that not doing anything at all.