European FlagEuropean Data Protection Regulation now a reality – work now starts on clarifying exactly what this means for the credit information industry

After 3 years of lobbying and discussion, the new EU Data Protection Regulation has now been finalised. The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age. Late on Tuesday (December 15), an agreement was found between the European Parliament and the Council of Ministers, following final negotiations between the three institutions (so-called ‘trilogue’ meetings).

The full EU press release confirming the agreement and a summary of the main changes can be found at

Now that agreement has been reached the final text of the regulation will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.

What this means for all member states within the EU is that within two years, the current Data Protection regulation that exists in each country will be replaced by the new EU Regulation.  Unlike an EU Directive, an EU Regulation must be transposed into each member state’s legislation exactly as drafted with no room for interpretation or amendment at country-level.

The aim of the Regulation is to harmonise EU data protection law to support the single market agenda.  The current model, with 28 member states each having their own legislation based on the Data Protection Directive (95/46/EC) but with very different local interpretation, sanctions and enforcement provisions, was perceived to be a barrier to achieving a single market as organisations and consumers were faced with 28 country-specific versions of the Directive as transposed into national legislation.

During the negotiations on the regulation, the credit information industry represented by BIIA, ACCIS and FEBIS has been actively engaged with all parties involved in agreeing the regulation, EU Parliament members, members of the Council of Ministers and European Commission officials, to make sure they all understood the possible unintended consequences that the new regulation could have on the industry. These lobbying efforts have resulted in a far less onerous regulation that when it was first introduced and our industry now generally believes it is one that we can work with.

However as the new Regulation has been drafted at a very high ‘principles’ level (as it has to be to cover so many different industries processing personal data) it is going to be critical that the credit information industry seeks clarification from regulators on how it specifically relates to the processing of credit information. This will ensure that there is clarity amongst all stakeholders (consumers, lenders, credit information companies and regulators) on what the regulation means and that any challenges to the way the industry processes data are minimised.

The industry will be looking to clarify the interpretation of the regulation by working with the ‘Article 29 Working Party’ which is made up of representatives from all of the Data Protection Authorities in the member states.  BIIA will be working with ACCIS and FEBIS on this next round of lobbying.