EU Lawmakers Warn of Risks in Privacy Reg Transition

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Jan. 28 — The large number of issues left open in the final agreed text of the European Union's soon to be finalized General Data Protection Regulation shouldn't undermine the regulation's goal of creating a single, harmonized EU privacy regime, leading lawmakers involved in the reform said Jan. 27.

Michał Boni, a center-right Polish member of the European Parliament's Civil Liberties, Justice and Home Affairs committee (LIBE), which played a leading role in the development of the data protection regulation, said that the final text contained 54 “options for national implementation” that could work against the harmonization goal.

Boni didn't cite a source for the figure, but gave the example of the age below which children would require parental consent to access social media services, such as those offered by Facebook, Inc. The regulation sets the default age at 16 but permits EU countries to adopt a lower age with a minimum of 13 .

This provision raised “a certain risk that it will lead to a sort of geoblocking,” which would harm the EU's digital single market aims, Boni said. He was speaking at the 9th International Conference on Computers, Privacy & Data Protection in Brussels.

Bojana Bellamy, president of the Hunton & Williams LLP Centre for Information Policy Leadership, told Bloomberg BNA Jan. 27 that in the regulation's transition phase, there was “huge scope for de-harmonization.”

On the regulation's provisions that had left issues open, there should be “forward-thinking” interpretation to ensure that no new obstacles to EU data-driven innovation were created, Bellamy said.

EU negotiators Dec. 15 concluded nearly four years of talks on final text of a new General Data Protection Regulation, which would replace the 20-year-old Data Protection Directive (95/46/EC) . After formal ratification—which should happen by mid-2016—the regulation will take effect after a two year transition period

Interpretation Needed

Depending on how the regulation's provisions are interpreted, Boni said, another potential risk for companies is the right of data portability.

This right “should be analyzed and we should know exactly what it means,” so that the responsibilities of service providers are understood, Boni said.

Article 18 of the regulation provides that when a data subject requests portability of his or her data, it should be “transmitted directly from controller to controller where technically feasible.” Boni also said that the split of liability between data controllers and data processors should be clarified, and that “we should develop the understanding” of the concept of pseudonymous data.

The lead role in the transition period before full implementation of the regulation will be played by the European Data Protection Board (EDPB), which will replace the Article 29 Working Party of EU member state data protection commissioners.

Even on this, Boni said “we need guidance for the EDPB,” so that it doesn't diverge from the harmonization goal when interpreting the regulation.

Missed Opportunity

Speaking at the same conference, Axel Voss, a German member of the European Parliament from the same center-right grouping as Boni, criticized the regulation for being “very complex and very cumbersome,” and said that the transition period should be used to find “practical solutions” to minimize burdens on companies.

The regulation was a “missed opportunity” in terms of stimulating the digital economy, and offered “too much” flexibility to EU member states to vary some provisions, Voss said.

“The big companies won't be challenged by the new data protection law,” but it would undermine innovation and “hamper growth,” because of, for example, overly strict consent provisions and too-tight restrictions on use of pseudonymized data, Voss said.

He added that the regulation had made the EDPB “too powerful,” so that “for me, it's like the Chinese central committee.”

Jan Philipp Albrecht, the German Green lawmaker who steered the data protection regulation through the European Parliament, speaking at the same event, defended the agreed text.

“Of course there will be an impact and an adjustment necessary,” but the regulation would encourage global companies to comply with EU standards, which meant that smaller EU companies were “now on an eye-to-eye level” with the multinationals, Albrecht said.

Bellamy said that the regulation was a “very complicated law and we are where we are,” and regulators should work with it, rather than seek to make retrospective changes.

“Could we have done better? Of course we could. But it could have been ten times worse,” she said.  

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

Request Bloomberg Law: Privacy & Data Security