One of the most frequent questions we have at the moment is from clients asking us when the new EU data protection laws will come in. Needless to say there is no definite answer. In May 2014 we looked at what the proposed new laws say and some of the history behind them. You can read that here.
What has happened since?
Recently the lack of progress has been criticised by members of the European Parliament and also on Tuesday by Viviane Reding, the former Vice President of the European Commission, who was one of the authors of the draft Regulation. Some may say however that politicians like Mrs Reding share the blame. The proposals were always too one-sided to achieve consensus. Onerous and poorly thought out proposals like the reporting of security breaches “without undue delay and, where feasible, not later than 24 hours after having become aware of [the breach]” were never likely to pass through quickly on an unanimous basis. The wording of much of the proposed Regulation was clumsy and too many powers were reserved to the Commission. I wrote my first blog on the proposals on 25th January 2012, the day the proposals were first announced. I said then that the Commission’s timetable was “perhaps a little optimistic” even then it was clear that there would be considerable opposition to some of the proposals; especially when elements of the Regulation had previously been rejected.
The dangers of uncertainty
One of the difficulties in this process is of course the fact that businesses need certainty. Some businesses have grown tired of hearing about the new proposals and are doing nothing. That is unlikely to be a safe solution. At the same time we have been acting for a vendor of outsourced services who received an agreement this week from a large national organisation which included a clause to say that if new data protection laws came in during the currency of the contract they would have the right to unilaterally vary the agreement between the parties to take account of any changes they, in their absolute discretion, thought were necessary. Whether or not an agreement like that is legally enforceable this is clearly an area of risk given that a number of outsourcing and services provision agreements being signed currently will extend for a period beyond the date when the new law comes in.
Other businesses seem to be waiting for the Regulation too. We’ve been looking quite a bit at cyber insurance recently and there’s clearly part of the insurance industry that is waiting for the new data breach reporting obligations for the metrics it believes it needs to price policies. They too will have to look for other solutions if they want to write policies in the next 2 or 3 years.
There are risks in predicting the future and organisations large and small will need to take special care with any contractual arrangement that could still be in force after the new law comes in.
What does the current timetable look like?
David Smith the Deputy Information Commissioner and Director of Data Protection in the UK wrote a helpful personal blog last week which gives us some indication of how much work remains to be done before the new law comes in. Mr Smith points out (as we have done repeatedly) that the final version of the Regulation is by no means clear and that there is little utility in studying the detail of some of the subsequent “re-drafts” that have been proposed by various parties since the 2012 draft. Mr Smith feels that we will still be left with a Regulation rather than the lesser alternative of another Directive. A Directive would give member states flexibility but would likely lead to delays and inconsistency as it would be up to each member state to produce their own version of the law. Mr Smith seems to think that the earliest time for the end of discussions between the various EU organisations would be the end of 2015 but that “agreement in the first half of 2016 might be a more realistic prospect”. The European Commission previously committed to a two year period for implementation which would mean a start date for the Regulation of 2018.
Mr Smith has also drawn attention to an added complication which is that the Regulation is supposed to be agreed alongside a parallel piece of draft legislation consisting of a Directive specifically focussed on data protection concerning law enforcement and justice, which is apparently the subject of even more political disagreement at the highest EU level. So final adoption of the Regulation may be even more of a hostage to fortune.
As a result the period of uncertainty is likely to remain for some time yet. When we can give more definite answers we will but in the meantime there’s a real need for businesses to take proper precautions in their contracts and keep up the preparatory work for some aspects of the law which we know are likely to come in.
Originally published on Feb 13, 2015, at http://www.corderycompliance…