Privacy & Information Security Law Blog

On January 20, 2015, a group of public officials and industry representatives met in a public discussion panel in Brussels to debate the progress of the proposed EU General Data Protection Regulation (the “ Proposed Regulation”) and the major themes that are yet to be resolved. The panelist included Paul Nemitz, Director for the Fundamental Rights and Union Citizenship of the European Commission, Jan Philipp Albrecht, MEP and Vice Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and Pat Walshe, Director of Privacy and Public Policy of Groupe Speciale Mobile Association.

Notably, the panelists weighed in on the likely timing of the final text of the Proposed Regulation. The majority predicted “Spring 2016” as a possible date for the final text, which would fall within the forthcoming Dutch Presidency of the European Union. No panelist, however, offered a concrete date, but they all agreed that it would be preferable to issue a final text as soon as possible.

Pat Walshe raised questions about the harmonization of the Proposed Regulation with other European legislative instruments, such as the e-Privacy Directive, which overlaps with the Proposed Regulation in some places but has a different territorial scope. Paul Nemitz and Jan Philipp Albrecht agreed that their preferred approach would be to finalize the text of the Proposed Regulation first, and deal with legislative harmonization later. Inevitably, this approach will entail a period of uncertainty for businesses until harmonization is achieved. Paul Nemitz also spoke of his desire not to see new questions about the Proposed Regulation raised at this stage, as such could delay the progress of the final text.

A particular point of contention arose around the issue of data breaches. Jan Philipp Albrecht expressed concern that the Council’s risk-based approach might weaken the EU’s ability to provide strong data protection rights for individuals. Paul Nemitz contended that the flexibility offered by the risk-based approach was needed, and suggested that the European Data Protection Board, which would be created by the Proposed Regulation, could address concerns around the rights of individuals by issuing guidelines on certain issues, such as the reporting of data breaches.

The debate highlights that significant challenges still exist to securing a consensus of all parties on the final text of the Proposed Regulation. It is nevertheless clear that all parties remain committed to the goal of concluding the process in a quick manner.