European ministers largely agree on international aspects of future data protection regulation, other issues unsolved

Time is running out, if the European Union is to achieve the tying together of a Data Protection package before the European parliamentary elections of May 2014. That became clear during the first informal meeting on the topic of European Justice and Home Affairs Ministers on Thursday in Athens.

Despite strong commitment by the Greek EU presidency, representatives from the lead committee of the European Parliament and EU Justice Commissioner Viviane Reding and, despite revelations of US surveillance of state leaders’ communications, member states could not agree to fast-track data protection for EU citizens. “The EU institutions must respond,” Juan Fernando Lopez Aguilar, Chair of the European Parliament Committee of Human Rights, Justice and Home Affairs (LIBE) said, calling to the member states to make up their minds.

“The Hellenic presidency would like to finalise the legislation,” said the spokesperson of the Greek Ministry of Justice, Transparency and Human Rights, Sotiris Krypstallis, immediately before the meeting on January 23 in Athens. “At least we want to close some issues,” he added with caution. According to reports from the European Commission, there was a very broad consensus in Athens on the international aspects, especially enforcing the regulation against third-country commercial and non-commercial services active in the EU.

“Firm” stand within Council of the European Union by June 2015?

On the eve the Justice and Home Affairs ministers' meeting, the Greek Presidency had invited the Commission, the Parliament's Rapporteurs and Italy - which will take over the presidency in summer 2014 - for talks about a roadmap on the package in Athens.

The EU Justice Commissioner spokesperson, Mina Andreeva, said there was a commitment from the Council to have an agreement in June and passing of the legislation in 2015. By June, “the positions of governments should be firm,” Reding was caught saying on Greek television in Athens. The newly elected Parliament could then start negotiations. According to the Commission, member states have committed to the package being enacted in 2015. Andreeva said this would still be quick, when compared to the negotiations around the current Data privacy directive, which have taken five years.

She rejected statements from experts who expect the package, including both the regulation and the much less debated directive for data protection in the law enforcement process, to only be enacted much later. German law professor Nikolaus Forgo, in an editorial expects that the final decision could be made as late as 2016 or 2017 and implemented in 2018 or 2019. Time enough for more fine-tuning of the regulation, Forgo wrote, against the push from Commission and Parliament.

Key differences

Issues still under discussion by the experts are for example the design of the one-stop shop. The Council's legal service had a point by warning that the current draft might be more adapted to business convenience, and less to easy access to a complaints procedure for individuals, one data protection expert says. Citizens in countries that have been enjoying rigorous interpretations and enforcements of data protection laws, may be exposed to weaker interpretation. According to Andreeva, expert deliberations on how to deal with potentially different opinions by the data protection authority competent for the company and the one competent for the complainant citizen are ongoing.

Other issues relate to reservations by individual member states. Germany for example is concerned with the consequences the regulation might have for the data protection regimes in public authorities. According to Andreeva, there had been quite some considerations about how, for example, the right to deletion of personal data granted to citizens might be aligned with the requests of public agencies – like tax authorities - to keep records. “There are hundreds of state level provisions in the federal system,” Andreeva explains. For two years, talks on how to allow for flexibilities had been going on. But a separation of public and private sector data within the regulation – like it had been suggested earlier in the process – was outdated and impossible in current data markets, said rapporteur Jan Philipp Albrecht.

Data protection versus intelligence services: lack of enforcement capacities

In addition to technicalities and more fundamental concerns by British representatives, there are also points listed by privacy advocates that should have been addressed in the regulation. Regardless of the revelations by whistleblower Edward Snowden, data protection authorities today did not think it was their job to investigate in foreign intelligence services and it was unclear if the regulation would change that, one expert said.

“Even if the regulation would be interpreted in that way, we don't have the tools, it would not be enforceable,” Thomas Kranig, head of the Bavarian Data Protection Office.

Enforcement and capacity to enforce in the data protection agencies is a potential problem, given potential lack of resources, financially and personally. Coordination of large enforcement actions against US multinationals might still be difficult, despite the ambition expressed by Lopez Aguilar, to “tackle the giants” with the regulation.

More points activists are concerned about are the exclusion of access rights where pseudonymous data is stored, the difficulty of access rights vis-à-vis intellectual property rights of data controllers and, above all, the complexity of the regulation.

Albrecht: No data protection regulation before the elections

Rapporteur Albrecht earlier this week at a meeting organised by the Greens in Bavaria defended the draft agreed upon nearly unanimously by the various European party groups in Brussels. The regulation was “in every point equal or even better than the German data protection standard,” he underlined. Albrecht said, there was no way to pass the regulation before the European elections, but there was a need to pass it as soon as possible after that. “We just cannot afford to postpone for years again,” he said. The tough negotiations with the Council will start after May 25. Stay tuned.