Politicians willing to compromise on Data Protection Regulation

Last week I attended the Privacy Laws & Business Conference at Cambridge University. The morning kicked off with an update on the EU Data Protection Regulation. There were representatives from the EU Commission, European Data Protection Board (EDPB), Article 29 working party and the Information Commissioner’s Office.

Bruno Gencarelli, head of data protection unit at the European Commission, showed a willingness to negotiate. It seems that this was down to political pressure to conclude the Data Protection Regulation, which has taken many years to get this far. This was apparent when Giovanni Buttarelli, supervisor at the EDPB, made light of the fact that the Commission has promised many times before that negotiations would be completed ‘by the end of the year’.

However, this was something of concern for Isabelle Falque-Pierrotin, chair of the Article 29 working party, a forum where various national data protection authorities discuss common policy positions. She worried that political pressure would lead to ill-thought out and hasty decisions. Falque-Pierrotin said regulation must not mean lowering legal safeguards in any respect. It shows how muddy negotiations have become that the article 29 working party is now worried that legal safeguards will be reduced. The whole point of a new regulation was to bolster freedoms and harmonise laws, not to reduce legal protection.

She also mentioned a number of asks that the Article 29 working party want from the regulation. Firstly, the working party want the definition of personal data to be broad to ensure that definition will take account of new technology in the future. Pseudonymous data would therefore not have a separate definition, but would mean fewer legal obligations in certain data processing tasks.

Secondly, for larger businesses a data protection officer should be mandatory but Falque-Pierrotin agreed that SMEs would be spared, saying, “We don’t mean to say that the small bakery needs a data protection officer”.

In many areas the Data Protection Regulation is too prescriptive, to the extent that it may not achieve what it sets out to do. For example, mandatory data breach warnings could mean that consumers suffer from fatigue as they are informed of every minor breach and perversely, this may mean they miss news of a worse data breach that requires them to take action.

Christopher Graham, the Information Commissioner, warned against making the regulation too prescriptive and said obligations in the regulation should be there based on what European Member States are prepared to do. That is, don’t have regulation that is overly complex if you don’t give national data protection authorities the resources they need to properly enforce that regulation.

There are many long nights of negotiating ahead, but the changing tone in the debate is positive. Views are becoming less entrenched as the EU Commission, Parliament and Council all demonstrate their willingness to compromise in the trilogue negotiations.

To find out more visit the DMA Data Protection Toolkit.