True Costs of the New EU Data Protection Regime

The Article 29 Working Party recently called for EU officials to take a look at the true costs of EU data protection law reform. The Working Party’s concerns centered around the implications of the reform on national data protection authorities (DPAs) and the European Data Protection Supervisor (EDPS).  This article takes a look at the proposed reform, as well as the Working Party’s responses.

Background on the GDPR

In January 2012, the European Commission released a draft General Data Protection Regulation (GDPR), which –if it is approved and enforced – would introduce a single, unified data protection law across all 27 EU member states. Companies that process personal data of EU citizens outside the borders of the trading bloc would also be covered under the rules.

Experts have said that the GDPR proposes a comprehensive and significant reform of the existing EU data protection framework. It’s important to point out that the existing Data Protection Directive will be replaced by this Regulation.

Why the GDPR?

The following are the key goals of the proposed GDPR reform:

  1. To update and modernize the existing EU data protection rules in light of technological developments to address, among other things, online privacy, in order to improve the protection of personal data processed both inside and outside the EU.
  2. To address the protection of personal data processed by law enforcement and judicial authorities.
  3. To give individuals more control over their personal data and facilitate access to and transfer of such data.
  4. To harmonize data protection rules across the EU by establishing a strong, clear and uniform data protection framework with a single set of data protection rules and a single national data protection authority.
  5. To boost the EU digital economy and foster economic growth, innovation and job creation in the EU.

Currently, EU directives are required to be implemented by each EU member state through national legislation, which results in many different interpretations of the legislation, thus a country-specific analysis of the legal requirements is required. By contrast, regulations have the immediate effect of law throughout the EU.

Replacing the current Data Protection Directive with a Regulation means there is no room for flexibility for different countries to interpret and tailor the law to their own contexts. If the GDPR is approved, European law on data protection (apart from criminal justice matters) will be the same across the board. While it will require less effort to determine how to bring operations to compliance standards with the new data protection law, it will also mean that organizations will need to comply to more stringent standards.

Scope of the GDPR

Under the proposed GDPR, businesses outside the EU that either a) Process personal data of EU residents in connection with offering goods or services to such individuals, or b) Monitors the behavior of such individuals will be subject to the provisions in the Regulation.

The following are significant provisions of the proposed GDPR. These are provisions which would impact both organizations in the EU as well as entities that operate within the EU or serve EU citizens.

  • Expansion of the definition of “personal data”
  • Express consent is required in order to process personal data
  • Requirements of breach notification
  • Requirements to adopt policies and implement measures to ensure and demonstrate compliance with the GDPR
  • Binding Corporate Rules (BCRs)
  • Data security obligations
  • Data protection impact assessment requirements
  • Requirement to appoint a Data Protection Officer
  • Significant penalties for violations of the GDPR
  • Restrictions on transfers of personal data to third countries

Working Party’s Response

On April 4, 2012, the Article 29 Working Party sent a letter to Viviane Reding, Commissioner for Justice of the European Commission. Currently, the Working Party is a committee of representatives from each national DPA in the EU. If the draft GDPR is approved, the Working Party will be replaced by the European Data Protection Board (EDPB).

In the letter, Working Party chairman Jacob Kohnstamm writes that it is important that member states are able and committed to provide the necessary financial, human and technical resources to enable the DPAs and the EDPB to carry out their responsibilities. “Without these there is a risk that DPAs will not be able to cope with the demands on them and will act as an impediment to rather than an enabler of the innovation and growth that you are seeking to promote.”

If member states and the European Commission are unable to commit to the cost of providing the required resources, then it’s necessary for the EC to scale back the duties that are low-priority, or those that do not provide the best value for money, privacy protection-wise.

Under the proposed reform, DPAs must provide one another with mutual assistance, to ensure that the laws are applied consistently in different countries. If individuals in more than one EU member state are likely to be affected by the decisions of another DPA, then other DPAs in those countries have the right to participate in joint operations.

The Working Party recommended that the proposed reforms should include a general obligation to anonymize or pseudonymize personal data when processing information, in situations where it is “feasible and proportionate” to do so.


In January 2012, the European Commission released a draft General Data Protection Regulation (GDPR), a set of proposed reforms to the existing EU data protection law. If approved, the GDPR would unify data protection law across all 27 EU member states. The key goals and major issues of the GDPR are discussed in this article, along with the Article 29 Working Party’s response to Justice Commissioner Viviane Reding in April 2012.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/European Privacy (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

  • European Commission (I.B.d.)
  • European data protection legislative framework (I.C.)
  • Supervisory authorities and their powers (II.J.a.)
  • Article 29 Working Party (II.J.b.)
  • European Data Protection Supervisor (II.J.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>