European Union policymakers want companies to begin preparing now for the trading bloc's new data protection regime, even though regulators are still working out central aspects of the plan and there's a still a chance the whole project could even collapse.

Speaking at the Compliance Week Europe conference this month, Peter Hustinx, head of the European Union's Data Protection Supervisor, admitted there was no guarantee a draft data regulation working its way through the EU's tortuous legislative process would ever become law.

The five committees charged with scrutinizing the draft legislation have called for thousands of changes. But Hustinx said this was not unusual, and a final version was “likely” to be agreed by next April.

That deadline is crucial. Voters in the EU's 28 member states will elect a new European Parliament in May. If the current parliament hasn't approved the data regulation by then, the approval process will have to start over.

There's only a 60 percent chance that policymakers will meet the deadline, said Simon McDougall, a speaker at the conference and managing director of Promontory, a consulting group that follows the EU legislative process closely.

He said getting the legislation approved was a 30-step process and the EU was still only at step one, despite two years of effort. “We haven't even got a draft in front of Parliament yet.” If the new laws don't pass, companies operating in the EU will be stuck with a patchwork of 28 different compliance regimes for years, he warned.

One reason for the slow progress is that “there is still genuine disagreement about how data protection should work” in Europe, said McDougall. Agreement was gradually becoming more likely, as politicians felt a greater need to “do something” about protecting data, he said. But the haggling could go right to the wire. The result: bad legislation that is hard to apply, McDougall warned.

“What I fear is that we'll sprint at the finish and end up with a lot of compromises written by people who are too tired to argue any more,” he said. “People are fighting about individual lines of the regulation, they've gone out of the big picture and into the detail.”

In his conference speech, Hustinx said the principles underpinning the draft regulation were the same that drive European data law today, and this continuity ought to reduce the compliance burden for companies when the new rules take effect.

The new legislation will bring the application of those principles up-to-date for the internet age and standardize how the EU's member states apply them, he said. “We cannot afford to have answers that are slightly different in all 28 member states. We need to be consistent.”

“What I fear is that we'll sprint at the finish and end up with a lot of compromises written by people who are too tired to argue any more.”

—Simon McDougall,

Managing Director,


A Not-Quite-Common Approach

Still, Hustinx admitted that even with the new laws in place, companies that operate across EU member states would still have to deal with different compliance regimes. The claim that Europe will have one common approach “is perhaps overstated,” he said. “It's not going to be absolutely identical.”

That's because so much of the risk and compliance burden for companies depends on how rigorously national data regulators enforce the rules. Under the new regime, a company should be able to deal only with the data regulator in the country where it does most of its EU business, with regulators in other countries playing second fiddle. Whether it works like that in practice remains to be seen.

Above: CW Europe keynote speaker Peter Hustinx, European data protection supervisor.

Regulators in Britain and Ireland, for example, are far more willing to take a business-friendly view and to mitigate fines if companies have at least tried to comply, than those in other countries, which McDougall called “more aggressive and frankly less forgiving.”

Companies would have two years to prepare for the new laws once they are passed, but Hustinx urged conference delegates to “catch up” now if their data practices were not in line with European standards. “Don't wait for the spring, do it when you get back to your office,” he said.

Moving Targets

Important parts of the regulation, however, are still up for grabs. The original draft regulation gave EU citizens a “right to be forgotten” by companies that hold their data. McDougall thinks this is likely to be watered down; a right to have personal information deleted is more practical.

Consent is another divisive issue. The draft regulation wanted consumers to give “explicit” consent for their data to be processed. One of the more business-friendly parliamentary committees wants to replace explicit with “unambiguous,” which would give companies more room to maneuver.


Below is an excerpt from the CW Europe Presentation of European Data Protection Supervisor Peter Hustinx.

Why Data Protection?

A legal framework across EU: Directive 95/46/EC as currently implemented in 28 national laws

Increasing impact: more critical issues online and offline in many areas (public and private sector)

Data Protection Reform: high on political agenda and expected to be delivered by Spring 2014

Main drivers of reform

Technological development: more effective protection needed

Globalisation: more consistency needed to reduce EU-wide diversity and complexity

Lisbon Treaty: a new legal base for horizontal EU-wide data protection law

Procedure & Timing

Commission: draft Regulation proposed in January 2012

European Parliament:

3000+ amendments tabled > preparation of compromise AMs

vote in LIBE Committee now planned for 21 October

Council under CY/IE/LT Presidency:

almost finished the first reading of Regulation

“partial general approach”

Negotiations (“trilogies” - including COM) expected to start soon

Final agreement/vote planned in Spring 2014

Source: Peter Hustinx Presentation.

The draft regulation said companies can only process personal data for “legitimate” interests, which has fueled a big argument among policymakers about what that word means. “Some people want to really narrow it down so it's almost meaningless,” said McDougall. “Others want to keep it broad.”

There's also debate about how prescriptive the regulation ought to be and whether member states should have any scope to tweak its measures when they adopt them into local laws.

The European Commission—the executive arm of the EU—wants minimal adaptation, but some of Europe's most powerful nations, including the United Kingdom and Germany, still want member states to have some leeway to alter the measures.

That would be a big deal. The fact that the new laws were put forward as a draft Regulation, which member states can't alter, was “revolutionary,” Hustinx told the audience. Any change to that would make it harder to achieve a common European approach.

Hustinx argued that data privacy is a basic human right for Europeans and rejected the idea that the new laws would be make it harder for businesses to be competitive. “This subject is covered with lobbyists,” he said. “Some of them send messages that are blatantly overstated, the idea that this is the end of the Internet as we know it is nonsense.”