Monday 6 August 2012

“Exit that draft Regulation, pursued by an ungovernable crowd”

I must thank our chums at Statewatch for keeping me up all night – they’ve kindly published on the internet a leaked copy of the initial responses of Member States to first 10 Articles of the proposed new Data Protection Regulation.

The document is 170 pages long, so make sure you're not going to be disturbed for a long, long time.

It makes really interesting reading, and it makes you wonder how on earth all Member States are going to be able to accommodate each other’s positions. If I were a betting data protector, I would assume that the only way that this current proposal is going to see the light of day is if the German Government makes it a condition of any future financial assistance from the Federal Republic in respect of a Euro bailout that the recipient Member State immediately appoints a German Data Protection Troika to oversee that Member State’s data protection laws.

And remember, even the Germans (on page 24) are insisting that "Member States must be able to retain their national rules – in particular where they provide a higher level of data protection than that provided in the legislative act – or to enact new ones."

In German eyes, it seems that reform can only be achieved by an upward revision of current data protection standards to the highest that are currently available. Then, we may get somewhere.

But, I mean, how do you reconcile a range of views like this? Talk about a shotgun wedding. I’ve seen less savage exchanges of views at Glaswegian wedding receptions.

So where is the way forward?

In no particular order, I guess we’ll see next proposals floated that support

• a Directive, rather than a Regulation;
• less formal co-ordination from the Commission;
• more (but still relatively informal) co-ordination from a College of Information Commissioners;
• the introduction of an accountability principle, but
• with lots of flexibility as to how controllers will be required to demonstrate their accountability;
• stronger penalties against those who transgress
• and different regulators exercising their disciplinary muscles in different ways
• failed attempts to control non EU based data controllers (blah, blah blah);
• another attempt at the central co-ordination of European data protection policy in, say, 5 years time, when our national leaders have worked out whether the future political path of Europe is leading to the central control of everything, or the re-emergence of nation states.

We, in Blighty, should all rejoice that we will be able to rely on our chums at the Ministry of Justice to carry out the heavy negotiating. Now, we’ll just have to wait and see what emerges from the background deals that will inevitably be offered as someone – presumably the Irish diplomats – assesses the chances of agreement during the Irish Presidency of the Commission in the first half of next year. After all, no Presidency ever wants to feel that theirs was a wasted opportunity to make a mark on the international scene.

But, really, just what does Euro-data protection actually look like?

After reading this report, frankly, I’m none the wiser.


The document comments on the first 10 Articles. The draft Regulation contains 91 Articles, so we can look forward to a few more documents this size being uploaded onto the internet in the fullness of time.