The new draft of the general data protection regulation, put forward by the Irish presidency of the EU council earlier this month, completely redraws key parts of the previous text, making it much less strict. It seems to be the polar opposite of the 3,000 proposals added to the draft earlier this year, which the Direct Marketing Association has called “disastrous” for businesses.
Both sides of the argument will now need to make concessions if a deal on the legislation is to be reached, but that doesn’t seem likely to happen soon. The first vote on the regulation has already been delayed twice and the chances are dwindling of the EU parliament settling on a final law by the end of the year as planned.
Among the changes proposed by the Irish would be a removal of an EU-wide requirement for businesses to appoint data controllers. Also, instead of notifying consumers whenever a data breach occurs, they would only need to take a “risk-based” approach to doing so. Even the type of legislation being used is in doubt, as the Irish draft notes several countries would still prefer a more flexibly applied ‘directive’ instead of a universal regulation.
While the new text importantly recognises dissenting voices in a debate that until now has been dominated by supporters of strict data controls, this move also represents a gamble. EU officials claim they have never before seen lobbying efforts as strong as those surrounding this data protection regulation. If those arguing for a more business-friendly approach aren’t careful, they could give the impression to the public that the democratic process has been hijacked by corporate interests.
That won’t put them in a strong negotiating position in the long run.
In July, the presidency of the EU council transfers from Ireland to Lithuania, whose representatives have already admitted their plans for progressing the data debate are unambitious. It’ll therefore be up to the two opposing sides to argue between themselves, probably until the end of the summer. But the longer the arguments go on, the greater the uncertainty for businesses and the greater the risk that any new rules will fall behind the realities of how data is being used by businesses.