Sometimes the most interesting things that emerge from
conferences are whispered across the aisle just after a
presentation or debated by attendees off-site over a glass or two
The big-ticket question at last week's IAPP Europe Data
Protection Congress in Brussels wasn't on the agenda: Will
members of the European Parliament and the European Council manage
to bridge their differences and pass a new Data Protection
Regulation amidst significant competing pressures from various
A new Regulation (to replace the 1995 Directive) was announced
by the European Commission in January 2012. (Our summary of the
Regulation can be found
here). European legislators originally estimated that the new
Regulation could be passed as soon as the middle of 2013 (to be
followed by a two year implementation period). Jan Philipp
Albrecht, a Member of the European Parliament and champion of the
Regulation, conceded last week that the end of 2013 might be more
realistic. However, none of the government speakers whose sessions
I attended considered a scenario where the Regulation simply
wasn't adopted for lack of sufficient consensus on its
Some members of the audience, however, noted the deep fault
lines that were evident between the views of various speakers on
issues ranging from questions of power-sharing among national
governments (specifically, the potential loss of power of certain
"stricter" national data protection offices under the
"one stop shop" system) to widely varying assessments of
the practical and economic burden that the Regulation would place
on businesses (will businesses flee Europe due to increased
compliance costs and the threat of substantial fines, or will
customers be so enamoured of European-style privacy that they will
flock to companies that adhere to the Regulation?).
Testing which way the wind is blowing – and how fast
– is always a tricky proposition. But my overall sense from
the recent Congress is that the Regulation will pass –
eventually, and probably not in 2013 — in a form that retains
the proposed fines (enthusiastically endorsed by several government
speakers), breach notice requirements (with more realistic timing
than the current proposal of 24 hours), and expanded notion of what
constitutes personal data (everything you've ever posted on the
Web?). But some of the items that largely didn't even reach the
agenda at the Congress, such as the logistically challenging
"right to be forgotten" and the "right of
portability," may not make it through the legislative process,
or may survive in an industry-specific form.
Watch this space. But in the meantime, if you are a tech
company, keep on developing those privacy compliance products. More
than a few were already being promoted last week at the Congress.
And that may be the best predictor that we have.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s "List of Considerations" before signing.