The General Data Protection Regulation (GDPR) is important. As a regulation the GDPR will be in force in every European Union Member State, and each state will only be allowed to pass its own data protection law if this is permitted by the GDPR, or if the subject matter of the law is outside of the GDPR’s scope. Although there is some difference of opinion over the details, there is a common political consensus that the European Union needs a modern, European-wide approach to data protection law. A paper published by the European Council (representing each Member State), on 25 October 2013 states that the GDPR should be adopted by 2015 in order to advance the digital Single Market. However, progress to date has been slower than anticipated, and hoped for, by the Commission - the GDPR has not yet been adopted and it is expected that discussions will continue until at least 2015. This article considers the current progress of the GDPR.
1. Why are some Member States opposing the current proposals?
Some Member States such as the UK, although supporting data protection reform, favour watering down the proposals and implementing the reform by way of a directive. Such Member States are of the opinion that the GDPR is regulating more aspects than necessary.
Germany is also reported to be delaying the adoption of the GDPR. While Germany supports a European approach, its main concern is that the GDPR would result in a lower level of protection than under current German data protection law. In Germany there are different statutes regulating data protection, such as the Federal Data Protection Act (BDSG) and the German Tele Media Act (TMG). While the GDPR will replace the BDSG for most matters, the future relationship between the GDPR and the TMG still remains unclear.
Another example is Austria, where a company's data is protected by the Austrian Data Protection Act. The current GDPR will only protect an "identified natural person or a natural person that can be identified". This is one of the reasons why Austria is averse to certain provisions and wants to keep its current level of data protection.
Due to the nature of the way the GDPR has to be passed – by agreement of each of the three independent bodies, the European Parliament, the Commission and the Council, each of which can propose amendments – it is difficult to be certain of the scope of the final consolidated text of the GDPR. The extent of the amendments made by the European Parliament’s representatives, together with the Council’s silence on its position has, inevitably, meant the likely final text is less clear. So, at this stage, there is still an element of speculation when considering specific aspects of the GDPR and its potential application.
In addition, some Member States have criticised the GDPR for not adopting a more modern approach towards eCommerce and internet-related questions. The GDPR is supposed to provide answers to future as well as current questions, however many stakeholders believe that the GDPR, to some extent, recycles the old EU Data Protection Directive.
2. What has been happening and what will happen next?
On 12 March 2014 the European Parliament adopted the draft legislation following its first reading. By voting on these proposals the European Parliament consolidated its position so far, in order that the result can be handed over to the next European Parliament which will be elected in May 2014. However, the vote does not mean that the GDPR has finally passed the European Parliament. Before it is finally approved the text will need to be agreed through tripartite discussions (between the European Parliament’s representatives, the Commission and the Council) and then approved. However, those discussions cannot commence until the Council determines its position, which, despite meeting in March, it has yet to do. There will be future discussions within the relevant committees and further readings, but currently the timings are uncertain.
At the moment it is unclear if the next European Commission will focus on the GDPR with the same determination as Viviane Reding, the current EU Commissioner for Justice, Fundamental Rights and Citizenship. Without Viviane Reding’s drive, there is a danger the newly elected European Parliament, and the European Council, may lose the momentum for reform.
In the meantime, it remains to be seen if some Member States might implement elements of the current data protection proposals ahead of time.