The Regulation is designed to replace the existing EU Data Protection Directive. Directives can be implemented at national level in each nation’s own terms. This has led to differences in how Data Protection is enforced within Europe, which the EU has described as ‘fragmented’. Regulations, however, must be enforced precisely as specified by the Council of the European Union. The purpose of this Regulation is thus to harmonize data protection enforcement across Europe.
The leaked document from Statewatch, Interinstitutional File: 2012/0011 (COD), provides the opinions of 20 European states on the proposed Regulation. It shows a wide difference in attitude. For example, a very common concern is the Regulation’s reliance on ‘delegations’; that is, the ability of the EU to arbitrarily add to or amend the agreed Regulation in the future. Belgium has a ‘general reservation’ on delegated acts. France believes that “the systematic recourse to delegated acts and implementing acts is excessive” and warns that it is “liable to generate opposition in our Parliament.” The UK says “There is an excessive number of delegated and implementing acts.”
Some countries believe that it should not be a regulation at all, but should remain a directive. Belgium “would like to propose a Directive...” The UK is “of the view that the proposed general Regulation should be a Directive.” Italy, however, strongly supports both the framework of a regulation and the use of delegated acts. “We believe it is right to choose a Regulation,” it states, and adds that a failure to safeguard stricter national legislation can “be minimised by timely and adequate use of Commission delegated acts.”
France is concerned about the detail of the ‘right to be forgotten’. It wonders how this relates to social networking since the “Regulation does not make any provision for personal data published by third parties;” and further asks whether data is “actually erased or does erasure cover only the access path to the data?”
The UK is concerned that the Regulation places too great an administrative burden on SMEs, demanding “unrealistic obligations” such as the “requirements to notify a data breach within 24 hours, to maintain documentation of all data processing operations and mandatory data protection officers which could be costly and impractical for many business and organisations.” This is a concern supported by Liechtenstein, which points out that it is a small nation with small companies; and asks that efforts be made to ensure that “the proposed regulation will not lead to additional workload and/or cost for citizens, companies and administration.”
The UK also raises an interesting point of law. The Regulation is classified as ‘a Schengen building’. The UK opted out of the Schengen agreement. The legal result, says the UK, is that “the effect of the Schengen classification is that the Regulation does not apply to the UK at all.”
One thing is clear: a harmonized view of the regulation to harmonize data protection within the EU is still a long way off.