European Commission vice-president Viviane Reding has urged MEPs to hasten reforms to EC Data Protection law, saying EU citizens and businesses can't wait two years for adoption.
The proposed data protection framework, which includes a regulation and a draft directive, would improve certainty, reduce legal fragmentation and increase trust, Viviane Reding told a meeting of the EU parliament's Privacy Platform.
The EC claims the proposed framework will lead to savings for businesses of €2.3 billion a year by reducing administrative burden and reducing public concern about data privacy. Fears about data privacy are believed to be among the main reasons people are reluctant to conduct online transactions.
Peter Hustinx, the European data protection supervisor, welcomed the Reding proposal, according to reports.
He described the reforms as "a huge step forward for data regulation" which would make data controllers "more responsible and accountable".
However, both Hustinx and Christopher Graham, the UK information commissioner and vice-chairman of the Article 29 Working Party, criticised the commission text for being "too prescriptive" and for leaving "not enough discretion for national authorities".
Hustinx commented on the need for further work on the impact of the regulation on national law. He said it is unclear whether the package was designed to build on or replace national law. He also questioned the commission's proposal to offer legal exemptions for small businesses.
While giving broad support for the legislation, Graham said there is too much scope for the commission to use implementing acts. Implementing acts allow commission officials to decide on the technical implementation of EU law without the usual levels of scrutiny by MEPs and ministers.
National authorities would need new resources to police the regime effectively, he said, calling on the EU parliament to ensure national data authorities are not reduced to "administrative machines ticking boxes".
Some aspects are less welcome, there are areas of doubt and some things that need more work, he told the Westminster eForum on data protection and privacy.
The ICO, he said, welcomed improved rights for individuals, clearer responsibilities on organisations, the high standard of consent, recognition of existing codes of conduct and certifications, the provision for stronger supervisory authorities, the inclusion of new concepts such as privacy-by-design, and the goal of great consistency in data protection rules across the EU.
However harmonisation through a one-size-fits-all regulation that does not take individual cultures into account may not necessarily mean good data protection, said Smith.