The end of the beginning

Abstract

As readers of IDPL are no doubt aware, on 25 January 2012 the European Commission published a proposal to reform the EU legal framework for data protection that has captured the attention of the data protection and privacy community around the world as have few other legislative initiatives in recent decades. The attention given to the proposal began even before it was officially released, as a ‘leaked’ preliminary draft found its way onto the Internet in late 2011 and precipitated a veritable feeding frenzy of attention. Since then, there have been numerous conferences, articles, blog entries, etc. devoted to the proposal, which will no doubt only increase as it works its way through the EU legislative process over the next few years. The intense attention given to the European Commission proposal is certainly justified. With the possible exception of the relevant provisions of the Lisbon Treaty, it is the biggest development in EU data protection law since enactment of Directive 95/46 in 1995. It is not just a redraft of the existing Directive, but an attempt to radically remake the EU legal framework. While individuals faced with increasing difficulty in asserting their data protection rights, and companies frustrated with the difficulty of complying with 27 divergent member state laws, had long known that the EU legal framework for data protection was broken, the realization took longer to dawn on member state governments and EU bureaucrats in Brussels. The jury is still out as to whether the proposal meets its intended objectives, and it is too early for any sort of definitive opinion on the details, given that numerous details of it will no doubt change substantially over time (indeed, it is possible that political factors may even cause the entire proposal to fall apart). But no matter what one thinks of it, at least the Commission has recognized the necessity of a root-and-branch revision of the law. Beyond the obvious data protection implications, the proposal serves as a laboratory to illustrate the current political tensions in the EU, and the compromises that will have to be made if a more pan-European conception of data protection law is to arise. The Commission’s decision to aim for complete harmonization of data protection law applicable to public authorities and the private sector via a regulation means that some member states are now faced with the prospect of having, as they see it, their existing national standards ‘watered down’, while others are concerned that the standards are being raised too high. This debate is an inevitable consequence of the changes brought by the Lisbon Treaty leading to a greater harmonization of fundamental rights law; since the data protection proposal is one of the first and most visible manifestations of these changes, it is proving to be a catalyst that will force governments and citizens to decide how much harmonization they really want. For years, many in the data protection community had been calling for greater harmonization, but some of the same actors are now also expressing concern about the loss of the special characteristics of their national data protection law, thus proving the truth of the adage ‘be careful what you wish for’. The proposal has important implications not only for the EU, but also for actors in both the public and private sectors around the world. Among just a few groups outside the EU affected by the proposal are non-EU governments seeking to share data with their counterparts in Europe, companies selling goods and services via the Internet to Europeans, and countries planning to enact data protection legislation based on the EU model. This last group deserves special attention, since in the last few years EU Directive 95/46 has found increasing favour as a model for numerous countries in other regions to use in drafting their own data protection legislation. The Directive has had the great advantage that it is a single legislative text that has also been analysed and used in practice for several years, thus making it an easy choice for countries