One thing everyone agrees on is that the EU needs new data protection rules. The current rules, now some 20 years old, are getting long in the tooth. Adopted at a time when having household Internet access was still a rare thing (remember those 56kpbs dial-up modems, anyone?), there’s a collective view across all quarters that they need updating for the 24/7 connected world in which we now live.
The only problem is this: we can’t agree what those new rules should look like. That shouldn’t really be a surprise – Europe is politically, culturally, economically and linguistically diverse, so it would be naive to think that reaching consensus on such an important and sensitive topic would be quick or easy.
Nevertheless, whether through optimism, politicization, or plain naivety, there have been repeated pronouncements over the years that adoption of the new rules is imminent. Since the initial publication of the EU’s draft General Data Protection Regulation in January 2012, data protection pundits have repeatedly predicted it would all be done and dusted in 2012, 2013, 2014 and now – no surprises – in 2015.
The truth is we’re a way off yet, as this excellent blog from the UK Deputy Information Commissioner highlights. Adoption of the new General Data Protection Regulation ultimately requires agreement to be reached, first, individually by each of the European Parliament and the Council of the EU on their respective preferred amendments to the original draft proposals; and then, second, collectively between the Parliament, the Council and the Commission via three-way negotiations (so-called “trilogue” negotiations).
As at the date of this post, the Parliament has reached consensus on its preferred amendments to the draft, but the Council’s deliberations in this respect are still ongoing. That means the individual positions of both institutions have not yet been finalised, the trilogue negotiations have not yet begun, and so an overall agreed upon text is not yet even close. There’s still a mountain to climb.
Not that progress hasn’t been made – it has, but there’s still a long way to go and it’s very unlikely the new law will pass in 2015. Even when it does, the expectation is that it will be a further two years until it takes effect. In other words, don’t expect the news rules to bite any time before 2018 – six years after they were originally proposed.
Why so long? Designing privacy rules fit for the 21st century is a difficult task, and the difficulty stems from the inherent subjectivity of privacy as a right. When thinking about what protections should exist, a natural consideration is what “expectation” of privacy individuals have. And therein lies the problem: no two people have the same expectations: what you expect and I expect are likely very different. Amplify those differences onto a national stage, and it becomes quickly apparent why discussions over new pan-European rules have become so protracted.
How, then, to progress the debate through to conclusion?
First, European lawmakers need to listen to the views of all stakeholders in the legislative process without prejudice or pre-judging their value. It’s far too simplistic to dismiss consumer advocates’ proposals as ‘impractical’, and equally disingenuous to label all industry concerns as just ‘lobbying’. Every side to the debate raises important points that deserve careful consideration. Insufficiently strong privacy protections will come at an expense to society, our human rights and our dignity; but, conversely, excessively strict regulation will impede innovation, hamper technological progress and restrict economic growth. A balance needs to be found, and ignoring salient points made by any side to the debate comes at a cost to us all.
Once lawmakers accept this, then they must also accept compromise and not simply ‘dig in’ to already fortified positions. Any agreement requires compromise – whether a verbal agreement between friends, a written contract between counterparties, or even legislative agreement over new laws like the General Data Protection Regulation. At present, however, there is too much bluster, quarreling and entrenchment, where reason, level-headedness and compromise should prevail.
When it comes to new data protection rules, a compromise – one that benefits all stakeholders of the information economy – is there to be struck: we just have to find it.