Life is always busy in Brussels. Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process. The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience. The most visible message of the week has been that all parties involved - European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities - are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.
Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:
* Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs. However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission's delegated acts, which she believes are needed to maintain the Regulation's flexibility; and monetary fines, which are meant to give the new framework much needed teeth.
* For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament's position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed. Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE's stance on this issue. Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.
* Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation. With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals. He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual's consent must override everything else. With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals. Not surprisingly, Mr Kohnstamm is wary of the 'one stop shop' principle and emphasised the role of the proposed European Data Protection Board to get the balance right.
* The 'one stop shop' principle became one of the most heatedly debated topics. Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law. Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions. The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.
Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in 't Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission's proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.