EU Data Protection Regulation: Update


The EU Data Protection Regulation was discussed, yesterday, at the Privacy Laws & Business conference in Cambridge, UK.

Here is the latest news:

  • There has been a debate as to whether the new Regulation is actually going to happen. The clear view from the European Commission and the European Data Protection Supervisor is that the Regulation will happen and the European Parliament is unlikely to change its position on any of the main points; so businesses should start preparing.
  • Officially, the aim is to finalise the Regulation in late 2014. The reality is that this adoption will probably happen in 2015. As an indicative backstop date, the UK Government is keen to finalise the process before the next general election in May 2015. There will then be a 2 year transitional period.
  • The “One Stop Shop” will likely be diluted so that a data controller will be regulated by the regulator in the EU jurisdiction of its main establishment but; that regulator will need to cooperate and work closely with other regulators. This looks like a dilution of the advantages of locating in the UK or Ireland in order to avoid regulators in other member states.
  • Binding Corporate Rules may be extended to “groups of enterprises in a joint economic activity”. This may help use of subcontractors operating “in the cloud”. Watch this space for more detail.
  • It isn’t yet finalised whether the new law will be Regulation or a Directive (requiring local implementation). For what its worth, it looks like it will be a Regulation so probably no change on this.

Interestingly, Lilian Mitrou (who was in charge of pushing forward the reform on behalf of the Council of Ministers as part of the Greek Presidency) said that they tried to create a balance between “realism” and “not ignoring the difficulties”. Despite this, the new provisions (including extra-territorial effect, the “principle of accountability” and the need for policies, procedures, audit and appointing a Data Protection Officer along with data breach notification duties and substantial fines) all look likely to be implemented. An updated version of the Regulation has recently been leaked and formal confirmation of the amended proposals from the Council of Ministers will be published soon.

Next Steps

We now have the original proposal for a Regulation from the Commission together with the version proposed by the European Parliament and (shortly to be published) the proposal from the Council of Ministers. The next step is to conduct the “trilogue” procedure under which the institutions discuss and agree the final text. As mentioned above, the official aim is to do this by the end of 2014.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.