Sometimes the most interesting things that emerge from
conferences are whispered across the aisle just after a
presentation or debated by attendees off-site over a glass or two
The big-ticket question at last week's IAPP Europe Data
Protection Congress in Brussels wasn't on the agenda: Will
members of the European Parliament and the European Council manage
to bridge their differences and pass a new Data Protection
Regulation amidst significant competing pressures from various
A new Regulation (to replace the 1995 Directive) was announced
by the European Commission in January 2012. (Our summary of the
Regulation can be found
here). European legislators originally estimated that the new
Regulation could be passed as soon as the middle of 2013 (to be
followed by a two year implementation period). Jan Philipp
Albrecht, a Member of the European Parliament and champion of the
Regulation, conceded last week that the end of 2013 might be more
realistic. However, none of the government speakers whose sessions
I attended considered a scenario where the Regulation simply
wasn't adopted for lack of sufficient consensus on its
Some members of the audience, however, noted the deep fault
lines that were evident between the views of various speakers on
issues ranging from questions of power-sharing among national
governments (specifically, the potential loss of power of certain
"stricter" national data protection offices under the
"one stop shop" system) to widely varying assessments of
the practical and economic burden that the Regulation would place
on businesses (will businesses flee Europe due to increased
compliance costs and the threat of substantial fines, or will
customers be so enamoured of European-style privacy that they will
flock to companies that adhere to the Regulation?).
Testing which way the wind is blowing – and how fast
– is always a tricky proposition. But my overall sense from
the recent Congress is that the Regulation will pass –
eventually, and probably not in 2013 — in a form that retains
the proposed fines (enthusiastically endorsed by several government
speakers), breach notice requirements (with more realistic timing
than the current proposal of 24 hours), and expanded notion of what
constitutes personal data (everything you've ever posted on the
Web?). But some of the items that largely didn't even reach the
agenda at the Congress, such as the logistically challenging
"right to be forgotten" and the "right of
portability," may not make it through the legislative process,
or may survive in an industry-specific form.
Watch this space. But in the meantime, if you are a tech
company, keep on developing those privacy compliance products. More
than a few were already being promoted last week at the Congress.
And that may be the best predictor that we have.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
We previously reported here that CNA filed a lawsuit against its insured Cottage Health System seeking reimbursement of amounts that it previously paid under Cottage's cyber liability insurance policy.
The Ashley Madison site declares on its home page that "Life is short. Have an affair." The home page goes on to state that "Ashley Madison is the world's leading married dating service for discreet encounters."
Evidence collected by the U.S. Department of Homeland Defense (DHS) shows that cyberattacks on key energy infrastructure – particularly the electric system – are increasing in both sophistication and frequency.
On Friday, July 24, the United States Judicial Panel on Multidistrict Litigation issued an Order consolidating in the D.C. Circuit Court of Appeals three timely petitions for review of a July 10, 2015 Declaratory Ruling and Order of the Federal Communications Commission (FCC).