They said it couldn’t be done. A draconian initial text and 4,000 suggested amendments to digest made the task so difficult that many experts had already given up hope. However, today the European Parliament has silenced many sceptical voices by approving a draft Data Protection Regulation which aims to replace the aging 1995 EU data protection directive.
The job is by no means completed. Now the Council of the EU (which shares the EU legislative power with the Parliament) has to deliver its own draft and provide the Member States’ contribution to this crucial process.
In the meantime, here are what I see as key highlights of the text approved by Parliament:
* The EU Parliament has considerably softened its original uber-strict approach and that should be welcomed because it makes the law more realistically applicable in practice.
* However, the complexity of the Commission’s proposal is retained and even expanded in some cases. For example, the one stop shop concept is now less clear cut and therefore, less likely to work.
* The EU Parliament wants to introduce a standardised format for privacy notices using icons. This is a brave move. The approach suggested is slightly dogmatic but the idea is a good one.
* The provisions on profiling remain but in a more reasonable format. This will continue to be a key area of debate over the coming months.
* There is a new emphasis on bi-annual compliance reviews, which together with the appointment of compulsory data protection officers will make legal compliance significantly more onerous.
* Disappointingly, there still are very unrealistic limitations on international data transfers, which are particularly onerous when made to non-EU public authorities. As predicted, the NSA revelations have distorted this issue and it will take a lot of work to untangle this.
* Finally, the massive fines of up to EUR 100,000,000 or 5% of annual turnover seem to be designed to send a clear signal out there about how serious this stuff is.
In summary, I don’t think the Parliament’s draft is entirely workable as it stands, but with the adoption of this text we are closer to having a modern EU data protection framework than ever before.