EC welcomes reports on proposed data protection reform

The European Commission (EC) has welcomed support for data protection laws by rapporteurs of two European parliamentary committees

The European Commission (EC) has welcomed support for strong EU data protection laws by the rapporteurs of two European parliamentary committees.

The EC was responding to draft reports on the reform of the EU’s data protection rules proposed by the EC a year ago.

In their reports, Jan-Philipp Albrecht rapporteur for the Civil Liberties, Justice and Home Affairs Committee (LIBE) and Dimitrios Droutsas, rapporteur for the law enforcement sector, “express their full support for a coherent and robust data protection framework with strong and enforceable rights for individuals,” the EC said in a memo.

They also emphasise the need for a high level of protection for all data processing activities in the EU to ensure more legal certainty, clarity and consistency.

Key points of the rapporteurs' reports

  • The need to replace the current 1995 Data Protection Directive with a directly applicable Regulation. A single set of rules on data protection, valid across the EU will remove unnecessary administrative requirements for companies and can save businesses around €2.3 billion a year.
  • The support in principle for the Commission’s proposal to have a “one-stop shop” for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own. To ensure consistency in the application of EU data protection rules, rapporteurs want to create a powerful and independent EU data protection agency entrusted with taking legally binding decisions vis-à-vis national data protection authorities.
  • Support for strengthening users’ rights: they encourage the use by companies of pseudonymous and anonymous data; they further propose strengthening the concept of explicit consent for data to be legally processed by asking companies to use clear and easily comprehensible language (also with regards to privacy policies). The Albrecht report proposes further reinforcing the “right to be forgotten” (the right to erase one’s data if there are no legitimate grounds to retain it) by asking companies which have transferred data to third parties without a legitimate legal basis to make sure these data are actually erased.
  • The rapporteurs agree with the EC’s proposal that EU rules must apply if personal data of individuals in the EU is handled abroad by companies which are not established in the Union. According to the amendments proposed, it would be sufficient that a company aims at offering its goods or services to individuals in the EU. An actual payment from the consumer to the company is not needed to trigger the application of the data protection regulation.
  • The rapporteurs emphasise the need to have independent national data protection authorities which are well-equipped to better enforce the EU rules at home. The Albrecht report provides guidance as to the staffing and resourcing of these authorities and welcomes the Commission’s proposal to empower them to fine companies that violate EU data protection rules.
  • On the delegated acts foreseen in the Regulation (also known as ‘Commission empowerments’ or acts which ensure that if, in practice, more specific rules are necessary, they can be adopted without going through a long legislative process), the European Parliament rapporteur wants to drastically reduce the number of delegated acts by including, among others, more detailed provisions in the text of the Regulation itself.
  • On the Directive that will apply general data protection principles and rules to police and judicial cooperation in criminal matters, the rapporteurs agree with the Commission’s proposal to extend the rules to both domestic and cross-border transfers of data. The reports also aim to strengthen data protection further by enhancing individuals’ rights, giving national data protection authorities greater and more harmonised enforcement powers and by obliging them to cooperate in cross-border cases.
  • The Albrecht report proposes extending the period within which to notify a personal data breach to the supervisory authority from 24 to 72 hours. To prevent “notification fatigue” to data subjects, the report proposes that only cases where a data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation, the data subject should be notified. The notification should also comprise a description of the nature of the personal data breach, and information regarding the rights, including possibilities regarding redress.

“The protection of personal data is a fundamental right for all Europeans. Opinion polls show that individuals do not always feel in full control of their data. Policy makers and companies must therefore do better,” said EC vice-president Viviane Reding, the EU’s Justice Commissioner.

“I am glad to see that the European Parliament rapporteurs are supporting the Commission’s aim to strengthen Europe’s data protection rules which currently date back to 1995 – a pre-internet age. A strong, clear and uniform legal framework will help unleashing the potential of the Digital Single Market and foster economic growth, innovation and job creation in Europe,” she said.

In their reports on the Commission’s proposals for a general Data Protection Regulation and a Directive for the law enforcement sector, the MEPs support the proposed package approach and emphasise the need to advance negotiations swiftly on both instruments at the same time, the EC said.

The most notable recommendations concern the controversial 24-hour data breach notification requirement and the right to be forgotten.

The rapporteurs propose further reinforcing the right to erase ones data if there are no legitimate grounds to retain it, by “asking companies which have transferred data to third parties without a legitimate legal basis to make sure these data are actually erased”.

Jan-Philipp Albrecht's report proposes extending the period in which to notify a personal data breach to the supervisory authority from 24 to 72 hours.

Adverse effect on data subject

To prevent “notification fatigue”, the report proposes that only in cases where a data breach is likely to affect the protection of personal data or the privacy of the data subject should the data subject be notified. Examples of such cases would include identity theft or fraud,  financial loss, physical harm, significant humiliation or damage to reputation. The notification should comprise a description of the nature of the data breach and information regarding the subjects' rights, including possible means of redress.

Eduardo Ustaran, partner and head of the European data protection team at law firm Field Fisher Waterhouse, said:  "What was already a very complex piece of draft legislation has become by far the strictest, most wide-ranging and potentially difficult-to-navigate data protection law ever to be proposed.”

He believes the LIBE Committee's draft proposal represents a significant toughening of the Commission's draft. “Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders will follow,” Ustaran said.

This is by no means the end of the legislative process, said Ustaran, but some of the highlights of the European Parliament's proposal include the decision to give an even bigger role to consent (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data.

“In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual,” said Ustaran.

The "one-stop shop" concept that made a single authority competent in respect of a controller operating across member states has been considerably diluted, he said, as the lead authority is now restricted to just acting as a single contact point.

Many of the areas that had been left for the Commission to deal with via "delegated acts" are now either specifically covered by the regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities, said Ustaran.

“Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines,” he said.

The European Parliament’s LIBE Committee will discuss the draft reports on 10 January.

“The European Commission will continue to work very closely with the rapporteurs of the European Parliament and with the Council to support the Parliament and the Irish EU Presidency in their endeavour to achieve a political agreement on the data protection reform by the end of the Irish Presidency,” the EC said.

Read more on Privacy and data protection