< Back

Share |

The European Parliament

January 2014

The EC draft data protection Regulation kept the European Parliament very busy in 2013 with the Committee for Civil Liberties, Justice and Home Affairs taking the lead in steering and defining the Parliament position.

Committee reports

The early part of 2013 was taken up with the publication of the reports of various EU Parliamentary committees on the draft EC data protection Regulation (Regulation), the most significant of which was the report by the Committee for Civil Liberties, Justice and Home Affairs (LIBE).

The LIBE report recommended over 350 changes to the current draft Regulation, many of which were widely perceived as being in favour of data subjects. For example, a restricted definition of SMEs, greater restrictions on international transfers and a reduction of scope of the 'legitimate interests' exception, were some of the less data controller friendly proposals. At the same time, the LIBE report made some recommendations which were more popular such as the reduction in scope for the Commission to make delegated acts and the introduction of the concept of pseudonymous data.

filesThe LIBE report was followed by the more data controller friendly report by the Industry, Research and Energy Committee (ITRE) which again made hundreds of recommendations. ITRE also made proposals around the concept of pseudonymous data and recommended a move away from the prescribed fines of 2% of annual global turnover, suggesting instead that national regulators should decide on the level of fines. Finally, the Legal Affairs Committee report was published. It supported the right to be forgotten and was anti profiling.

The various Parliamentary reports were consolidated and resulted in proposals for over 3000 amendments. These were subsequently refined down and put to a Parliamentary vote in October 2013.

Parliamentary vote

Some of the key recommendations voted for which the Commission itself is highlighting as evidence of Parliamentary support for its proposals are:

  • general support for the concept of data protection law taking the form of a Regulation (which does not require Member State implementation) rather than a Directive;
  • an increase in the maximum fines which can be imposed from €1,000,000 or 2% of annual global turnover, to €100,000,000 or 5% of annual global turnover. It also appears that whereas the original proposals only allowed for fines up to the higher level for certain breaches, in the LIBE proposals, the supervisory authority will have greater discretion in deciding what sort of sanction to impose as a result of all breaches and would have to choose between a written warning in cases of first and non-intentional non-compliance, the imposition of regular data protection audits and a fine;
  • the strengthening of the wording around the territorial scope of the Regulation, making it clear that it would apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union "whether the processing takes place in the Union or not". It is also made clear that the Regulation applies to processing of data by a controller or processor not established in the Union in relation to the offering of goods or services "irrespective of whether a payment by the data subject is required";
  • safethe re-wording of the controversial new 'right to be forgotten' which has been enhanced and changed to a right of erasure and adds a right not only to obtain from the controller the erasure of personal data and the abstention of further dissemination of the data, but also the right to obtain from third parties, the erasure of any links to, or copy or replication of the data, provided certain conditions are met. These conditions have also been amended to include a new right to erasure "where a court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased". The right to erasure is made dependent on being able to verify that the person making the erasure request is, in fact, the data subject;
  • changes to transfer of data rules outside the EU. Under the LIBE proposals, if a third country requests a company (such as a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the relevant person of such a request. As LIBE's press release made clear, "this proposal is a response to the mass surveillance activities unveiled by the media in June 2013";
  • clarification that execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. In addition, it must be as easy to withdraw consent as it is to provide it and consent shall be "purpose limited" so it will expire when the purpose ceases to exist or when the processing of the data is no longer necessary for the purpose;
  • profiling would only be allowed with the data subject's consent, when provided by law or when needed to pursue a contract. In addition, profiling should not lead to discrimination or be based only on automated processes and any person should have the right to object;
  • the introduction of the concept of a 'Lead Authority' where a controller or processor is established in more than one Member State or where personal data of the residents of several Member States are processed. The supervisory authority of the main establishment of the controller or processor "shall act as the lead authority responsible for the supervision of the processing activities of the controller or the processor in all Member States".

security buttonUnfortunately this revised text does not look like the more reasonable version of the Regulation that many, particularly in the UK, were hoping for. It seems that the revelations about the National Security Agency's (NSA's) activities hardened the position of the Parliament and many of the changes work in favour of data subjects. In addition, while there is some flexibility introduced on when fines can be levied, the maximum fine has gone up from 2% of annual turnover to 5%.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

The European Parliament
Debbie Heywood

Debbie
Heywood
         

Sally Annereau

Sally
Annereau
         





Debbie and Sally look at the role of the European Parliament in pushing for strong consumer rights focused amendments to the draft Regulation.