Monday, 12 January 2015

Data Protection Directive vs draft Data Protection Regulation - infographics & commentary

The diagrams below compare the legislative progress and timing of the EU's 1995 Data Protection Directive (DPD) and the draft General Data Protection Regulation (GDPR). Click on a diagram for the larger version. For just the comparative infographics on EU data protection legislative progress, click here.

European Commission

The DPD was proposed by the European Commission in 1990, and adopted in 1995. The GDPR was proposed by the European Commission in Jan 2012, as part of a data protection reform package, to update the DPD.

The following diagram shows the number of Articles, Recitals and pages of legislative text (ie excluding explanatory commentary/notes, background material) in the 1990 DPD draft as compared with the 1995 DPD and the 2012 GDPR draft:

DPD vs GDPR - rough scale (vital statistics)



(Note: the 1995 DPD page count is not included as no "like for like" comparison is possible - the Official Journal PDF is 2-column and the font size, spacing etc are different.)

If you like, the vital statistics for the DPD (original 1990 proposal) and GDPR (1992 Commission proposal) are respectively:
  • DPD (1990 proposal): 33-24-27
  • GDPR (2012 proposal): 91-139-82

Before the GDPR can become law, it must be approved by both:
  • the European Parliament, ie elected MEPs, and
  • the Council of the EU aka Council of Ministers, ie EU national governments.
These EU institutions must agree on the same text, and a conciliation procedure may be invoked if necessary, inevitably involving negotiation and compromise. (For more info, see an outline of the EU's lawmaking procedures; key EU institutions; and main legislative info/documents on the GDPR).

In the European Parliament

The Parliament's lead committee appointed to scrutinise the GDPR was its Committee on Civil Liberties, Justice and Home Affairs (LIBE, rapporteur Jan Philipp Albrecht). LIBE's report to Parliament suggested numerous amendments to the Commission's text, taking account of input from several other Parliamentary committees including various amendments they proposed. Parliament adopted this unamended at its 1st reading of the GDPR on 12 Mar 2014.

The infographic below shows, for each of the DPD and GDPR, the number of amendments proposed by Parliamentary committees and the number of amendments actually approved by Parliament at its 1st reading.

DPD vs GDPR Parliament - number of amendments

In the Council

The Council of Ministers (comprising EU Member State national government ministers and the Commission) has, from the outset, been trying to agree its own position internally. Approval by the Council requires only a qualified majority vote rather than eg unanimity. Only after a draft text has been settled within the Council, can the task of agreeing a text with Parliament begin. It won't be easy: even now, there are many significant differences between the Parliament and latest Council versions.

Numerous Council documents have been released, many on specific parts only of the draft GDPR. As at Jan 2015, only three versions are available of the full consolidated draft GDPR text being discussed in Council - two officially published, the latest one leaked. The diagram below compares the number of footnotes in each consolidated draft version. The number of footnotes is used as a rough indication of the scale of Member State issues with the GDPR text, as most (though not all) footnotes contain reservations or similar statements by Member States or the Commission.
DPD vs GDPR - Council drafts - number of footnotes

Number of EU Member States

During the passage of the DPD, there were 12 EU Member States (becoming 15 on 1 Jan 1995, when Austria, Finland and Sweden joined).

When the GDPR was proposed by the Commission on 25 Jan 2012, there were 27 Member States (becoming 28 on 1 July 2013, when Croatia joined). So now there's nearly double the number of Member States as there was in the 1990s, to raise and agree issues in Council.

DPD vs GDPR - number of Member States

Timeline

The figure below compares the timelines of the DPD and GDPR.

DPD vs GDPR - comparative timetables

Official statements have been made signalling the aim of agreeing the GDPR by the end of 2015 or even earlier, eg:
  • Vice-President for the Digital Single Market Commissioner Andrus Ansip: "During the first six months of the Commission’s mandate, I will support Commissioner designate Jourová and work with you and the Council to finalise the reform of data protection rules".
  • Commissioner for Justice, Consumers and Gender Equality Věra Jourová: "I see it as an important project of the whole Commission to ensure the swift adoption of the EU data protection reform… I strive for the adoption of the European data protection reform package within the first six months of the mandate".
  • Commissioner for Digital Economy and Society Günther Oettinger: "my legislative priority will be
    to support the Vice-President for the Digital
    Single Market and the Commissioner for
    Justice, Consumers and Gender Equality in finalising the negotiations on an ambitious Data Protection Regulation in 2015…".
  • In the Council, in early Dec 2014, "Progress was made by justice ministers on the EU data protection framework…" and the Council's President Andrea Orlando said "Today we have agreed on two of the most politically sensitive issues on data protection reform. We see this as an important result for the Presidency, and a decisive step towards achieving global agreement on this complex and important file"
  • The Commission recently stated "In 2015, as part of the Digital Single Market Strategy, the Commission will aim to conclude ongoing inter-institutional negotiations on proposals such as the common European data protection reform and the Regulation on a Connected Continent."
  • Calls were made by several national Parliamentary delegations for adoption "by 2015". Parliament's motivation to ensure the GDPR goes through may well be bolstered by the reincarnation of GDPR instigator Commissioner Reding as an MEP (Member of European Parliament) who, as Martin Hoskins irreverently puts it, may not want to pass up "the opportunity of being forever associated with a once-in-a-generation opportunity to reset data protection rules".
However, notwithstanding the political pressures, it's difficult to predict when if ever the GDPR will go through, particularly in light of:
  • the number of Member State issues within the Council, as suggested by the number of footnotes;
  • the far greater number of Member States there are now than in the 1990s; and, not least
  • the current vast differences between the texts propounded by Parliament and Council, which will have to be bridged somehow.
Certainly, Parliament's GDPR rapporteur J P Albrecht has doubted whether the GDPR could be agreed by the end of 2015.

    Summary

    The figures from the diagrams above are consolidated below in a single infographic.

    DPD vs GDPR - summary
    There's a risk that the GDPR may end up being worse than the DPD for data subjects, and indeed also controllers and processors. See for example Chris Pounder's concerns regarding greater flexibility for Member States to make their own rules, particularly more national exemptions from data protection law requirements. I hope to blog my own specific concerns at a later date.

    We need better laws, better enforced by better-resourced regulators. And by "better laws" I mean sensible, realistic, understandable, clear, technology-neutral laws. It remains to be seen whether the GDPR will achieve that goal.



    Sources/references

    Parliament

    Figures for the DPD are derived from:
    • the report of the lead committee for the DPD, the Committee on Legal Affairs and Citizens' Rights (JURI) PE 148.286/fin A3-0010/92 15 Jan 1992, rapporteur Geoffrey Hoon. This refers to PE 148.286/rev./Am.212-293, ie 293 amendments were proposed by that committee, and appends opinions of other committees showing their proposed amendments: ECON 39, ENER 9, ENVI 22
    • Parliament's resolution and amendments 11 Mar 1992 (OJ C 94/173, 13 Apr 1992).
    Figures for the GDPR are derived from:

    Council

    Figures for the DPD are derived from:
    • 9951/94 (12 Oct 1994);
    • 11099/94 (30 Nov 1994).
    Figures for the GDPR are derived from:
    Note: the Council of Ministers is not the same as the European Council.

    General

    For a very readable book on how laws affecting the Internet should be made if they are to have any chance of being effective in practice, see Chris Reed's excellent "Making Laws for Cyberspace".