By Ulrich Wuermeling

Almost four years after the European Commission introduced their draft for a new European Data Protection Regulation, negotiators of the European Parliament and Council are close to agreeing on a compromise text, set for December 15, 2015. If the final negotiations in the so-called “informal trilogue” are successful, the legislative process can be formally finalized at the beginning of next year and the Regulation will become applicable two years later. During that period, businesses established in the EU, those which offer goods and services to individuals in the EU or monitor the behavior of individuals in the EU (whether in the B2B or B2C context) will need to get ready to comply with the new data protection framework.

Whilst the original proposal of the European Commission attempted to create a harmonized framework for the EU with extensive rights of the Commission to regulate the details at a later stage, the compromise text provides for substantial powers of Member States to implement individual national rules. In addition, the concept of the one-stop-shop supervision of businesses by a single data protection authority at their main establishment in the EU has been watered down. Therefore, most of the potential benefits for business which could have been generated by the directly applicable Regulation did not survive in the legislative process.

Compared to the existing data protection laws in the EU, businesses will face stricter limitations to the way they can process data about individuals and will be burdened with additional administrative duties. Business models based on secondary use of personal data will have to be revisited. Whilst the Regulation abandons some of the obligations to register with data protection authorities, it increases the internal administrative obligations substantially. For example, increased transparency and governance obligations will add to the costs of data protection compliance.

The clarity of the Regulation has suffered from the extensive negotiation process. In its present form, it includes numerous provisions with vague and unclear rules as well as substantial inconsistencies especially between the actual Articles of the Regulation and its Recitals which attempt to give further guidance. The European data protection authorities and the European Commission will provide their views over time, but ultimately it will be the responsibility of the Court of Justice of the European Union to clarify the interpretation in light of the Charter of the European Union. Cases requesting clarity will take many years to come to court and there will be no excuse for businesses who will have to apply the Regulation from the day it comes into force. This will be a major challenge especially due to the range of potential fines under the Regulation. The Parliament representatives have asked for maximum fines up to 5% of the worldwide turnover of an undertaking or €100 million, but the Council representatives are pushing for a lower level.

We will report further on the Regulation and the changes compared to the existing framework, if and when, the final text of the Regulation is available.