David Smith, Deputy Commissioner and Director of Data Protection for the ICO, looks at why EU data protection regulation proposals and discussions are taking so long and outlines what the UK is doing in the midst of reform.

As the candles were blown out on the third birthday of the European Commission’s proposal for a new data protection regulation for Europe, there were plenty of people asking how close we were to seeing any of the much-needed changes to UK law.

The short answer is not that close. Progress has been made, but the negotiations in Brussels are not even in the home straight, let alone close to the finishing line.

And the longer answer? Well, three years on is an opportune time to take stock of what’s been achieved so far, what remains to be done, and when we might actually see the new legal framework in place.

To gauge what’s been done so far, it’s worth remembering the process we’re going through. You’ll remember that there are three parties involved in the process – the European Commission, the European Parliament and the Council of the European Union. The Commission set the ball rolling with a proposed regulation, and the Parliament and Council then each come up with proposed amendments, before the three of them finally get together in what’s called the ‘trilogue’ to thrash out a final agreement. That final agreement – known as the Regulation – then becomes law in each country, after a period of time for countries to consider the practicalities of what it will mean to them domestically.

We’re currently approaching the trilogue stage. The Parliament agreed its amendments roughly a year ago, and even though there have been elections since then (and so a new Parliament), their position has remained the same.

The Parliament is ready for the trilogue, then, but the Council isn’t. The Council is where the governments of member states are represented, and the reforms are discussed in its DAPIX Committee. Our role includes offering advice and support to our MoJ colleagues who sit at the table in these meetings. So far they’ve reached “partial general agreement” on international transfers, obligations on controllers and processors (the so called ‘risk based approach’), and the provisions relating to specific data processing situations such as research. This means that they’ve reached high level agreement on the approach in these areas, even if individual member states may still have reservations on some of the detail. But it’s all couched in the phrase “nothing is agreed until everything is agreed” – until the Council eventually comes to a final agreement on its proposed amendments, even these partially agreed areas can be revisited.

(With that in mind, a word of warning to those who are avidly watching all the various texts, official and leaked, that are coming out of the Council. They’re nowhere near the final position so please don’t read too much into them, particularly into the detail. Nothing is agreed until it is all agreed and then the package still has to be negotiated with the Parliament and the Commission.)

What was notable was the Council reaching consensus on flexibility for the public sector, something which had been a sticking point for one member state in particular. This removes any prospect of the end result being another Directive (meaning members would be able to adapt it into their own legislation) rather than a new Regulation (which members are obliged to accept as is). It’s also significant that although the detail still needs to be worked out, there’s now an agreed approach in the Council to the ‘one stop shop’ for businesses and individuals, and the associated consistency mechanism for data protection authorities. This is all about businesses that operate in several European countries having one ‘lead’ data protection authority that they can deal with, and ensuring authorities work closely together in developing their interpretation of the Regulation’s requirements. This is central to achieving the harmonisation across the EU that the Commission is seeking.

So what remains to be done? There’s no doubt that the pace is hotting up. The Latvians hold the presidency of the Council until June and they, urged on by the Commission, have highlighted this data protection reform as high amongst their priorities. The optimists are talking about an agreement within the Council by the end of the Latvian presidency, with the trilogue starting soon after, during the subsequent Luxembourg presidency.

This could see everything wrapped up by the end of the year, in line with the Commission’s commitment to have all the measures in place that are necessary for a thriving ‘digital economy’ in Europe by 2015. Maybe. But then there’s a lot to be settled in the trilogue and everything’s gone much more slowly than the optimists have predicted up to now. Even with the diplomatic skills of the Luxembourgers, agreement in the first half of 2016 might be a more realistic prospect. Of course, then the fun really starts, with two years for implementation and the new regime up and running perhaps some time in 2018.

You might ask what the ICO is doing in the meantime. Well we, together with our fellow data protection authorities in the Article 29 Working Party, are urging everyone to get a move on. As we’ve said before, there’s no doubt reform is needed, and it’s needed even more now than it was three years ago! It really doesn’t help the effective protection of individuals, which is what data protection is all about, for businesses to be left in continuing uncertainty about what is going to be required of them. It’s important to get the new law right, of course, but the Parliament has reached agreement and all the basic concepts of data protection are well established and still valid, so it’s hard to see why it’s all proving so difficult in the Council. When they do finally reach agreement we will analyse their proposed amendments and provide a commentary.

At that stage we’ll still be offering advice on what we see as the key questions to be addressed in the trilogue. Issues we expect to be central to the discussions (and which we’re already developing our view on) include:

• the scalability of the obligations, particularly for small businesses,
• the provisions on profiling and risk,
• the definition and use of pseudonymisation,
• the one stop shop and associated consistency mechanism,
• the right to be forgotten and the Regulation’s enforceability overseas, and
• the duties of data protection authorities including the imposition of sanctions.

Finally, a word about the proposed Directive on data protection in the law enforcement and justice sectors that formed part of the Commission’s proposed reform package alongside the general Regulation. This is proving even more difficult to agree in the Council, given member states’ sensibilities about the scope and role of EU legislation in these sectors. An informal meeting of member states’ ministers in Riga last week did little to encourage optimism on this front. However the Parliament is very much wedded to the idea that the proposed Regulation and Directive go hand in hand in a package. This means that they might be reluctant to start the trilogue unless they see some progress with the Directive.

Plenty of hurdles yet to overcome, then, but I’m keeping my fingers crossed that by the fourth anniversary in 2016 we really will be into the home straight – even if reaching the winning post might still require a final push.

This article originally appeared on the Information Commissioner’s Office Blog and is reposted here with permission and thanks.  It gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Politcal Science.