On 25 January the proposed EU General Data Protection Regulation is turning three. The irony is that it won’t come into force before it is six. That is, of course, the best-case scenario.
A compromise between EU governments is unlikely to be concluded before the end of the year, or even later. After that, the Council must reach consensus with the European Parliament on the wording of the final text. A lot of time may have passed by then.
Much more time than Viviane Reding could have imagined when she unveiled the proposal in 2012. What’s more, the wait won’t be over. Once adopted, there is expected to be a two year transition period before the regulation takes effect.
In the meantime many things are likely to change under the skies of Europe. The regulation has been proposed in the wake of the NSA spy scandals, with most EU leaders calling for stricter privacy rules in order to appease their public opinions. However, in the aftermath of Charlie Hebdo shooting the political agenda in many EU countries seems to be shifting from privacy worries to surveillance efforts.
On the other hand the rise of new technologies, such as the Internet of Things or Big Data, may present challenges to privacy that will require fresh legislative intervention.
In short, when in 2018 – or even later – the regulation enters into force, it risks to be out of touch with the reality, and partially ineffective. European paradoxes at their best.