Following more than two years of extensive consultations on the review of the European data protection framework, the European Commission was expected to publish its proposal for a General Data Protection Regulation later this month. As we reported on this blog, an early version of this proposal, which was widely leaked last December, contained several radically new concepts and granted the Commission significant powers to provide additional guidance and detail on particular matters. We now understand, however, that following the “inter-services” review of different Directorates-General of the European Commission, the proposal will not be published until late February or early March 2012. In the meanwhile, it is expected that Viviane Reding, the European Commissioner in charge of the review, will present some form of communication later this month, without full details of proposed legislation.
Given the importance of the review, it is only right that the Commission takes its time with the proposal, but it seems likely that elements of the draft circulated for review within the Commission may have been resisted due to their controversial nature. For example, as we previously reported, the leaked draft broadened the scope of “personal data” and placed significant reliance on opt-in consent as a legal basis to process data in a revised regime; appeared likely to increase administrative burdens for data controllers by introducing mandatory data protection impact assessments and reporting obligations; and granted supervisory authorities wide powers to impose substantial fines — between 100,000 and 1,000,000 Euros, or as much as 5% of an enterprise’s annual worldwide turnover — for breaching the new rules.