Brussels, 08/03/2013 (Agence Europe) - Not all companies in Europe, big or small, will be forced to recruit a data protection officer as long as their business does not run the risk of abuse of personal information. This was the line taken by most member states on Friday for the new EU data protection regulation at an EU Council meeting. Asked by the Irish Presidency whether the appointment of a data protection officer should be optional, the answer was largely yes, explained Irish minister Alan Shatter.
The debate raised another concern, namely whether a regulation suggested by Commissioner Reding (as opposed to a directive) is the right way to proceed. A number of countries, headed by the UK, are concerned about this. On Thursday morning, German interior minister Hans-Peter Friedrich told Commissioner Viviane Reding that Germany had dropped its call for a directive, but Alan Shatter said the debate was not yet totally closed and might emerge again at the next meeting (in June). More than a year after the draft regulation was unveiled in January 2012, the pro-directive countries say that Reding's draft regulation does not give enough flexibility for the public sector, tax offices, for example having to keep information about taxpayers; despite the fact that various presidencies, the Cypriot Presidency for example, has attempted to remove all doubt.
The UK is backed by Belgium, Hungary, Denmark and other countries, but is the country that is most outspoken in criticism of a regulation as the right type of legislation. The UK says the regulation would simply cost companies too much. On Friday morning, UK secretary of state Chris Grayling told his counterparts that it would cost the UK €200 million a year in terms of the cost for small businesses of having a data protection officer. On 6 March, he explained his fears in a letter to Reding, who replied on Friday 8 March by justifying the use of a regulation rather than a directive for doing something close to David Cameron's heart - boosting growth and the digital market by simplifying the rules and avoiding having a patchwork of 27 different laws.
Work is continuing to try to reassure. A source says that nothing revolutionary is being asked for, only to ensure that there is the same rule across Europe. The Commission is not planning to force industrial bakers to recruit data protection officers, said Reding on Friday, but companies dealing with sensitive information in a risky area would of course be expected to have such an officer.
One problem is that the idea of “risky” areas has not been defined and ministers will have to set clear criteria and penalties for different levels of risk. A tricky job. At the Commission too, people were taking a more cautious line on Friday. While the risk-based approach has its merits, it also has limitations, explained a source. Viviane Reding says it is important to avoid vague measures that will allow lawyers at big multinationals to take the new rules to task, by which she meant that if the risk categories are too detailed, then this could make the regulation unworkable.
Talks on the idea of a one-stop shop and how decisions taken by national regulators on behalf of the EU27 will be applied will be discussed at upcoming meetings. (SP/transl.fl)