The proposed new EU General Data Protection Regulation may need to be watered down. The far-reaching proposed draft, which was published in January 2012, aims to unify and strengthen the data protection laws across the 27 EU countries. However, the Financial Times reports that a memo drafted by the Irish presidency admits that “several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation.”
There appears to be a prevailing opinion among the member states that the burdens imposed by the draft Regulation must be reduced, especially the most commonly criticised elements, such as the requirement to obtain individuals’ explicit consent and the “right to be forgotten.” Several EU member states, like the UK (see our blog about the UK’s criticism), advocate a “risk-based” approach that would have as its focus whether a substantial threat to a person’s personal data exists. Several EU member states would like small companies spared from many of the compliance burdens contained in the proposed Regulation—an approach advocated by the American Chamber of Commerce.
Some member states, including the UK, would like to see the designation of a data protection officer reduced to an optional requirement. Germany and Belgium argue for the easing of rules related to the use of data by public institutions.
The lobbying for watering down the proposed Regulation has been openly criticised by a coalition of privacy groups, as well as by Jan Philipp Albrecht, the rapporteur for the draft regulation (see also our blog about Albrecht’s report on the proposed Regulation). Given the raging debate, it looks as though enough member states oppose the draft Regulation to block the entire proposal, unless the European Parliament and the European Commission heed the calls for compromise.