Are you thinking what I am thinking? I think you are.
Week last Monday, I attended a meeting of the Government’s Data Protection Advisory Panel, the Group that discusses the Data Protection Regulation with officials negotiating for the UK. I came away from that meeting thinking that, because of the range of disagreements over its content, the Data Protection Regulation is not going to be agreed before the June 2014 deadline.
Because of this, I think progress with both the Regulation and the Data Protection Directive in the field of law enforcement and should be stopped now, in favour of a more considered approach after the next European Elections in June 2014. This is the only way of making sure that groups representing the interests of data subjects and data controllers will be able express a view on any final text (if one is agreed).
At the moment, we may be on track of getting a revised Regulation text that is sprung on data controllers and data subjects at the last-minute and where there will be very little opportunity to engage with its provisions.
For instance, the European Parliament is still looking at amending the Commission’s original text published in January 2012, which following the comprehensive Irish revisions and DAPIX leaks is largely irrelevant. In practice, I can’t see the purpose of discussing 3,000 plus amendments to a text when everyone knows that text is completely different to the one that the Ministers and Commission are now amending.
Even with the revised Irish/DAPIX text, Member States cannot agree on the form of the Regulation; there are over 300 “Reservations” marked on the DAPIX text (see references). This usually means that the reserving Member States (or Commission) fundamentally disagree with the Irish/DAPIX text. It is also usually an indication that one or more Member State is likely to vote against the particular provision.
I also think there is a growing realisation that if Member States want “flexibility” in the Regulation’s text, that a further Data Protection Directive could unify all aspects of data protection (i.e. include law enforcement provisions as well).
However, if there is to be a new Data Protection Directive after the European Elections, then the current proposal for a Regulation has to die a death. And if the Regulation is to die, then somebody has to kill it. So who does the deed? And when? And how?
The real risk is that if no one (i.e. Parliament, Ministers or indeed Commission) has the courage to pull the plug, a runaway data protection regulation train will start its journey.
For instance, Member States will continue to negotiate through the Lithuanian and Greek Presidencies. No doubt further comprehensive changes will be made to a text, changes which of course, no-one from the data controller or data subject community have had any chance to make representations about its content.
Member States argued at their Council of Ministers that “nothing is agreed until the final text is agreed”; they have not considered that when there are comprehensive revisions (which there has been), this "nothing is agreed etc..." position excludes their own countries’ data subjects and data controllers from involvement in legislation of which they are the prime focus.
Parliament will also continue in its hapless task and indeed, they might even arrive at 3,000 compromise agreements – just to say “we succeeded”. Again the result will be new text, where there again, no-one from the data controller or data subject community will have had any real chance to consider.
Of course, the Commission might present another text to get through the current impasse; but there again members of the data controller or data subject communities are excluded.
The nightmare scenario is that the Parliament, Commission and Ministers try to resolve their diverse texts, so that a compromise version of the Data Protection Regulation emerges. There again no-one from the data controller or data subject community will have had any chance to comment on any compromise text.
This kind of deal could result in comprehensive horse-trading and risks the emergence of a text based on half-baked compromises and proverbial deals "made in smoke-filled, back-rooms”. For instance, agreements on the lines that have little to do with the best data protection outcomes; “If you support our definition of “consent”, we will support your opt-out for the processing of personal data for your public sector”.
I think you have got the message: there is significant risk of the emergence of a data protection text where those directly affected will have had little say. Whatever our legislators choose as any final text (if there is one), representatives of data controllers and data subjects will have largely been excluded from the revision process (unless, of course, the data controller is a member of the group that is spending millions of euros on lobbying).
So that is why I would vote for:
(a) “Pull the plug” now on the Regulation and law enforcement Data Protection Directive;
(b) use the time up to June 2014 and prepare a further draft version for comprehensive data protection rules for consultation, covering all public sector and private sector processing of personal data, and
(c) aim for a further round of legislation in later 2014 (after the European Elections).
In summary, getting a late bus to the correct destination is far better than catching the wrong bus at the right time. The problem, in my view, is that the risks of getting it wrong are increasing all the time.
Disagreements re DAPIX text (link at the end of): http://amberhawk.typepad.com/amberhawk/2013/06/latest-dapix-leak-of-the-data-protection-regulation-eases-transfers-and-makes-fining-difficult.html
Irish text link (link at end of): http://amberhawk.typepad.com/amberhawk/2013/06/irish-do-hatchet-job-on-the-data-protection-regulation.html
Council of Ministers meeting disagreements (link at end of): http://amberhawk.typepad.com/amberhawk/2013/06/member-states-divide-over-the-protection-offered-by-the-irish-version-of-the-data-protection-regulat.html