This post was also written by Nick Tyler.

As reported yesterday by DataGuidance, it’s back to the drawing board for the Directorate-General for Justice (Justice) responsible for EU data protection law after they received strong “unfavourable” opinions from two key Directorates-General in response to the European Commission’s mandatory inter-service consultation process.

Publication of the draft EU Data Protection Regulation had been expected at the end of this month but has now been delayed until late February/March. The nature of the concerns raised by the Information Society and Media Directorate General (INFSO) and Directorate General for Trade (D-G Trade) mirror many of those highlighted in our earlier blog post and Client Alert following the leak of the draft Regulation last month.

INFSO’s concerns run to 22 pages and invoke some harsh criticism of the proposals and a perceived lack of openness and flexibility on the part of Justice. INFSO’s concerns include:

  • The broad scope of personal data, including geo-location data and online identifiers, without qualification;
  • The onerous requirements of proposed new data breach notification obligations;
  • The definition of “child” (under-18 threshold proposed) – unworkable in the online world;
  • The burdensome nature of the proposed new “right to be forgotten”;
  • A failure by Justice to take account of concerns about the continued burdens relating to data transfers, in particular those transfers described as “massive, frequent or structural”;
  • An increased risk of interference, contradiction and confusion within the draft regulation as a result of its addressing areas already covered by the ePrivacy Directive;
  • The proposed new sanctions regime.

The comments by INFSO represent a significant setback in the EU Commission’s attempts to re-shape European data protection law for the next generation. With the long-term future of enterprise and society in mind, INFSO rejects the draft regulation as:

“…an overly cumbersome legal framework which places new burdens and costs upon data controllers and processors, thereby acting as a deterrent for the development of new business models. INFSO is concerned that the proposal does not sufficiently take account of the economic climate and is at odds with the vision of Europe 2020.”

It’s not the first time (and won’t be the last) that data protection regulation has been blamed for standing in the way of progress but this opinion presents a significant challenge to the EU Commission’s efforts to complete the race to revise the EU Data Protection Directive.