Europe's long-awaited new data protection law - which would protect people's privacy but could also cost British businesses millions in fines – may be delayed until 2016, partly because of resistance by the UK Government.
That's the warning last week from MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill.
The new General Data Protection Regulation(GDPR) is due to be finalised by the end of 2015 - but failure to agree the new rules is leaving European citizens exposed to snooping from foreign and European intelligence agencies and companies, Albrecht said.
At a 7 January briefing in the European Parliament, he warned that delays to the law – which was first proposed in 2012 and has been hit by nearly 4,000 amendments – are “bad for democracy”.
The planned law has been strengthened in the wake of the Snowden revelations to protect the privacy of individual European citizens.
But it also threatens huge fines on companies who fail to safeguard personal data or report data breaches of up to 100 million euros (£78 million) or five percent of their turnover.
Albrecht pointed out that the UK, French and German governments are all holding up the legislation for different reasons, with the UK being opposed to the notion of a DPR, preferring a weaker data protection ‘directive' instead.
He was speaking ahead of a meeting of the interior ministers of the 28 EU states later this month.
“We wanted to raise awareness that the European Council really needs to hurry to stick to the timetable,” a spokesperson for the MEP told SCMagazineUK.com.
“We don't know if we will make it this year. The European Council really have to run fast if they want to keep to the timescale. We hope we will manage, but if Council will wait even longer it will be very very difficult.”
Albrecht said: “If ministers want a DPR, it will be up to the Council to deliver it. If they want to allow companies to regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection.”
Commenting on Albrecht's warning, UK data protection expert James Castro-Edwards, a solicitor at PricewaterhouseCoopers Legal LLP, said it did not necessarily represent a “terminal” delay in the legislation.
He told SC: “The draft Regulation is three times the length of the current data protection directive, so not only is it a pretty draconian piece of legislation with the high fines, it's also very prescriptive, it's very detailed.
“The three bodies in the European legislative machine – the European Commission, the European Parliament and the European Council – have got to agree this complicated piece of legislation, so I wouldn't read into the delays as anything terminal.
“I think it will take time, it's such a big job. There's a lot of optimism about how quickly they can get it through, that's just not realistic.”
Castro-Edwards also welcomed the proposed heavy fines, saying: “There was a perception among businesses of ‘why would you invest the time and the money on data protection compliance when the fines are so small?'.
“Fast forward to the present day and we're seeing people getting very nervous about these enormous fines coming in and finally getting round to addressing data protection compliance, which was the intention with the high fines. So I think that's worked and I think it's necessary.”
Amar Singh, chair of the UK ISACA Security Advisory Group, had mixed feelings about the likely delay.
He told SC via email: “It means companies should have more time to prepare and beef up their policies, processes and technologies to ensure they comply with the requirements.
“But delaying this kind of an initiative - or putting it on the back burner - many mean that, for many, it will be another panic ‘fix it now' before the new deadline comes around.
“Additionally, dithering on an important regulation like this only allows for the miscreants (too many examples to give) to consistently get away with their utter disregard for personal privacy.”
Singh believes some companies may now defer investments and projects in this area and concentrate on more tangible threats.
“This is dangerous because for most organisations, getting their act together to comply is a fairly complex task involving, amongst other things, bringing together the whole organisation and instilling a fundamental culture change.
“You cannot change attitudes towards data privacy in a few months.”