In January 2012, the European Commission proposed a legislative package to update the data protection principles enshrined in the 1995 Data Protection Directive (Directive 95/46/EC). The policy objectives of the European Commission set out an ambitious blueprint for a more cohesive EU data protection framework backed by stronger enforcement. Central to facilitating this were proposals for a General Data Protection Regulation (the Regulation) and a Data Protection Directive (the Directive) covering law enforcement.
On 21 October 2013, the Civil Liberties, Justice and Home Affairs Committee (LIBE) met in Strasbourg for the much-anticipated vote on the proposed legislative package. Voting had previously been delayed because of the overwhelming number of contested areas and 3,000+ amendments in the draft Regulation. (See our previous blogs on the first European Parliament vote delay and subsequent vote pushback.) See a video of the vote which marked the landmark moment (circa. 19:00 hrs.) when the negotiating mandates for the Regulation and for the Directive were adopted.
In a press release from the European Parliament rapporteur for the Regulation, Jan Philipp Albrecht commented, “The vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age….The ball is now in the court of member state governments to agree a position and start negotiations so that we can respond to citizens’ interests and deliver an urgently needed update of EU data protection rules without delay.”
The key points in relation to the Regulation are:
- Sanctions – companies in breach of data protection rules would face fines of the greater of up to €100 million ($138 million) or 5% of annual worldwide turnover (compared with €1 million or 2% proposed by the Commission).
- Consent – this will require an explicit indication (by statement or affirmative action). Withdrawing consent must be as easy as giving it. The execution of a contract or provision of a service may not be made conditional on consent to processing data that is not strictly needed for those purposes.
- Data transfers to non-EEA countries look set to become more difficult – such as, if a third country requests a company (e.g., a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request. The more restrictive transfer provisions have the potential to put Safe Harbor at risk, and appear to be a response to the revelations about mass surveillance of EU citizens published in media in June.
- Pseudonymous data is a new concept, defined as personal data that cannot be attributed to a specific individual without the use of personal information, and where such information is kept separately and is subject to additional measures. The use of pseudonymous data, e.g., for profiling, is subject to a ‘lighter’ regime.
- Right to Erasure – the much-vaunted “right to be forgotten” has been reined in to a strengthened (though qualified) right of deletion.
- Profiling – this will be limited to circumstances where the data subject has consented, where required by law or in pursuance of a contract. Data subjects have the right to object and should not be subject to discrimination as a result.
- Lifecycle Data Protection Management – this broader concept has been proposed, aspects of which require conducting privacy impact assessments and the appointment of Data Protection Officers based on the number of individuals whose data are processed (not organisation size).
The bulk of the amendments approved by the LIBE Committee can be found here for the Regulation: Articles 1-29 and Articles 30-91, and here for the Directive. Negotiations are now scheduled to commence between the European Parliament and national governments in Council. The aim is to reach an agreement on this major legislative reform before the May 2014 Elections.