On 20th March 2013, the Committee for Civil Liberties, Justice and Home Affairs (or LIBE Committee) announced that it would delay its vote on the proposed data protection Regulation until the end of May 2013. Despite this, the Committee remains optimistic that political agreement on the proposed Data Protection Regulation will be reached by June 2013, paving the way for the legislation to be passed before the next European elections in June 2014. The Committee has a significant task ahead of it — there are more than 3,000 proposed amendments for it to consider ahead of the vote. 

Meanwhile, the European Commission has reiterated its view that the Regulation must afford the same level of data protection as the current Directive (95/46/EC). EU Director General for Justice, Françoise Le Bail, set out certain ‘red lines’ beyond which the Commission appears unwilling to negotiate. This may disappoint those hoping that an updated European data protection framework would mean more flexibility and business-friendly rules; at this stage it appears that there will be no loosening of the current restrictions. In particular, it appears unlikely that reduced obligations will apply to pseudonymous data, the definition of ‘personal data’ will remain intentionally broad, and data controllers will not be free to make their own decisions on issues such as the designation of their ‘main establishment’. 

Le Bail also reaffirmed the Commission’s emphasis on explicit consent, the right to be forgotten and data portability as key protections for data subjects. She noted that the protections of the Regulation must be offered to European citizens, rather than to EU residents. This is likely to be an unwelcome clarification for data controllers operating in the online space, who may be able to determine users’ location by IP address, but have no means to identify citizenship. 

While the Shadow Rapporteurs called for a risk-based approach, a better balance between administrative burdens and business needs, and rules which are practical, useable and context-specific, it is clear that it is not only the Commission which envisages a tightening and strengthening of European data protection rules. In addressing the LIBE Committee on 20th March, the European Data Protection Supervisor, Peter Hustinx, called for stronger rules to improve the level of data protection under Directive 95/46/EC, and otherwise echoed many of the Commission’s key messages. In particular, he expressed strong support for the explicit consent requirement and made plain that pseudonymous data and encrypted data are both 

personal data, and therefore subject to data protection laws.