A group of EU member states is likely to force the European Commission to soften proposals for tough new data protection regulations.
At least nine member states, including the UK, are opposed to several proposed measures that could place heavy burdens on data-related companies, according to the Financial Times.
The EC will have to compromise because there are enough member states to block the entire data protection reform process if it does not, the paper said.
The disagreement of “several member states” with the “level of prescriptiveness” of a number of the proposed obligations was detailed in a letter by the Irish presidency of the European Council.
In particular, member states are unhappy about proposals to require explicit consent from individuals to process their data, give online users the “right to be forgotten”, and require businesses to notify of personal data breaches within 24 hours.
Other concerns include provisions that require all companies to appoint a data protection officer and the difficulties caused by the tough rules for public institutions such as tax authorities.
The proposed EU Data Protection Regulation, which is currently being debated by the European Parliament, is set to be voted on by June.
More on EU data protection
- Internet firms concerned over EU data protection proposals
- Proposed EU data protection bad for business, says CBI
- How to prepare for proposed EU data protection regulation
- Proposed EU data protection framework needs work, says ICO
- The implications for storage of EU data protection regulation
- Data Protection Masterclass: New EU Data Protection Regulation
- The new EU data protection regulation: Planning for compliance
- EC publishes proposed data protection reforms
- UK business fears impact of new EU data protection framework
- The proposed EU data protection regulation and its impact on cloud
EC expected to compromise on EU Data Protection Regulation
The letter by the European Council on behalf of member states is indicative that the reform process is reaching the stage where business lobbies and national governments start to have more of a voice.
This begins to happen as the process moves from the European Commission into the European Parliament and European Council, said Stewart Room, partner at law firm Field Fisher Waterhouse.
“Clearly, there are many aspects of the regulation that will hurt businesses, and it is only natural that there will be pressure on the Commission to water down some of the harsher ‘anti-business’ proposals,” he said.
According to Room, the word on the street is that the Commission will compromise.
“The Commission will have to do a deal to get the regulation through, and this is likely to mean a better environment for business than originally suggested,” he said.
In January, internet firms such as Facebook and Google raised concerns over proposed amendments to the draft regulation that called for users to be given more control over their personal data.
Analysts say the likely softening of the proposals will be met with relief by these and other US-based technology companies that operate in Europe.
A year ago, EC vice-president Viviane Reding, the EU’s Justice Commissioner, went on record to say that such firms had lobbied "fiercely" to remove certain elements from the draft proposals.
Most US companies support a more risk-based approach to personal data protection as a way of reducing administrative burdens, particularly on smaller businesses and start-ups.
A risk-based approach would aim to deal with cases where there is a substantial threat to a person’s data or privacy.