The European Parliament has voted to adopt its draught version of a reformed data protection regime, one of the European Union’s most ambitious legislative proposals this term.
The reforms are aimed at creating a level playing field in which non-European companies, when offering services to Europeans, will have to apply European rules and adhere to the same levels of protection of personal data.
Eduardo Ustaran, partner and head of the European data protection team at law firm Field Fisher Waterhouse, tweeted: “As predicted, the EU Parliament has categorically endorsed the amended draft law. Two-thirds of the way there now.
“All eyes on the Council of the EU to see what alternative they come up with and when! Given the status of the debate, bar a revolution, expect tweaks by the council rather than a complete rewrite.
“Council tweaks will make all the difference between a workable regime or an unrealistically ambitious one. I predict the council will think bolts are too tight on consent, some rights, paperwork, data flows and fines,” said Ustaran.
Mark Prinsley, head of intellectual property (IP) at international law firm Mayer Brown, said while there may be much to criticise in the compromise position, as an overall package it represents a well thought out attempt to update EU privacy laws.
The new rules also “provide businesses wishing to develop techniques making intensive use of personal data with clearer guidance on the areas of concern and give individuals greater certainty as to how their personal data will be handled”, he said.
Read more about EU data protection
- Proposed EU data protection bad for business, says CBI
- How to prepare for proposed EU data protection regulation
- Proposed EU data protection framework needs work, says ICO
- The implications for storage of EU data protection regulation
- Data Protection Masterclass: New EU Data Protection Regulation
- The new EU data protection regulation: Planning for compliance
- EC publishes proposed data protection reforms
- UK business fears impact of new EU data protection framework
- The proposed EU data protection regulation and its impact on cloud
Ending months of speculation and debate, MEPs inserted stronger safeguards for EU citizens’ personal data that gets transferred to non-EU countries.
MEPs also increased the fines to be imposed on firms that break the rules to up to €100m or 5% of global turnover. The European Commission had proposed penalties of up to €1m or 2% of worldwide annual turnover.
Reform of the EU’s 19-year-old EU data protection laws was ordered to keep pace with the progress of information technologies, globalisation and the growing use of personal data for law enforcement purposes.
"I have a clear message to the council: any further postponement would be irresponsible. The citizens of Europe expect us to deliver a strong EU-wide data protection regulation,” said Jan Philipp Albrecht, rapporteur for the Civil Liberties, Justice and Home Affairs Committee (Libe).
“If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them," he said.
Dimitrios Droutsas, rapporteur for the law enforcement sector, said: “Allow me to express my dissatisfaction and frustration about the fact that it is the council, or at least some member states, which are preventing us from achieving the goal that we had set – namely to have the data protection reform package passed by the end of this parliament’s mandate.”
To better protect EU citizens against surveillance activities like those unveiled since June 2013, MEPs amended the rules to require any firm – including a search engine, social network or cloud storage service provider – to seek the prior authorisation of a national data protection authority in the EU before disclosing any EU citizen’s personal data to a third country. The firm would also have to inform the person concerned of the request.
The new rules should also better protect data on the internet. They include a right to have personal data erased, new limits to “profiling” (attempts to analyse or predict a person's performance at work, economic situation, location, etc) and a requirement to use clear and plain language to explain privacy policies.
Any further postponement would be irresponsible. The citizens of Europe expect us to deliver a strong EU-wide data protection regulation
Jan Philipp Albrecht, Libe
Any internet service provider wishing to process personal data would first have to obtain the freely given, well-informed and explicit consent of the person concerned.
The data protection package consists of a general regulation covering the bulk of personal data processing in the EU, in both the public and private sectors, and a directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement).
The European Parliament voted on its first reading of the draft legislation to consolidate the work done so far and hand it over to the next parliament. This ensures that the MEPs newly elected in May can decide not to start from scratch, but instead build on work done during the current term.
The draft regulation was backed by 621 votes to 10 with 22 abstentions. The draft directive was endorsed by 371 votes to 276 with 30 abstentions.