By Stephen Gardner
March 12 --The European Parliament March 12 adopted its position on the reform of the European Union's data protection regime, with lawmakers as expected voting overwhelmingly in favor of a version of the draft data protection regulation previously approved by the Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE).
The vote is significant because it sets out the European Parliament's position on the draft regulation ahead of eventual negotiations on a final text with the EU Council, the EU institution that represents the governments of the 28 EU member states.
There had been a strong push by EU leaders to bring the matter to a vote before elections in May to sit a new European Parliament (13 PVLR 223, 2/3/14). The vote in favor of the reform package means there is no need to start the legislative process over in Parliament, where it has already taken over two years to gain approval.
Attorneys contacted by Bloomberg BNA March 12 said that negotiations at the EU Council may significantly alter the specific elements of any eventual data protection reform in the bloc.
Sitting in a plenary session in Strasbourg, France, members of the European Parliament voted 621-10 with 22 abstentions to back fully and without amendments the position LIBE adopted in October 2013 . LIBE substantially changed the original draft legislative text proposed in January 2012 by the European Commission, the EU's executive arm .
The draft data protection regulation, or uniform EU-wide law, was proposed to replace the 1995 Data Protection Directive (95/46/EC), which sets minimum standards that EU countries have transposed into their national codes of law.
Lawmakers also approved March 12 the European Parliament's position on a draft directive on the processing of data by law enforcement authorities, which is designed to complement the draft data protection regulation. Lawmakers backed LIBE's position on the draft directive by 371 votes to 276, with 30 abstentions.
Some of the main changes to the commission's original text adopted by the Parliament include high fines for companies breaching the regulation, a requirement for companies to appoint data protection officers on the basis of the extent of their data processing operations, rather than on the basis of their size, and tighter rules on consent, profiling and data transfers to countries outside the EU.
In addition, the Parliament's version of the draft regulation replaces a “right to be forgotten” included in the original European Commission proposal with a “right to erasure” of personal data, which also would create an obligation for companies receiving such a request to forward the request to other data processors to which the data have been transferred.
On fines for breaches, lawmakers approved penalties of up to 100 million euros ($138.6 million), or 5 percent of a company's global turnover.
On the appointment of data protection officers, lawmakers said that the obligation should extend to any data processor processing the data of more than 5,000 data subjects in a year, and to companies for which data processing is a core business activity. This stipulation changed the commission's proposal, under which companies with 250 or more employees would have had to appoint data protection officers.
On data transfers outside Europe, the draft regulation would create an obligation for companies to seek the permission of the national data protection authority of the data subject, and to inform the data subject, if the authorities in a third country require the disclosure of the data.
Lawmakers also approved provisions primarily targeted at social media, search engines and online advertising companies, such as measures to ensure that data processing is only done for specific purposes that are subject to prior agreement.
The draft regulation would require consent for processing to be “freely given, specific, informed and explicit,” and it says that the data subject could withdraw consent at any time.
The draft regulation adds that consent would lose its validity if the processing of data went beyond what was required to fulfill a specific contract, and that the “execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of data that is not necessary for the execution of the contract.”
The draft regulation also would require data subjects to be informed if their data were used for profiling, and it states that data subjects should be able to object to profiling. Decisions based on profiling that produce “legal effects,” such as credit scoring, couldn't be made entirely automatically, but should include “human assessment,” according to the draft regulation.
The draft regulation approved by the Parliament also departed from the commission's initial proposal by introducing the concept of a standardized European Data Protection Seal, which companies could obtain to certify that they comply with the data protection regulation.
Jörg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA March 12 that the European Parliament's vote in favor of LIBE's text had been influenced by revelations, since the European Commission published the draft data protection regulation, about government electronic surveillance programs and the passing of information by companies to government bodies without the knowledge of data subjects.
“The strict approach by the Parliament seems to be more than justified when looking at the current developments in terms of surveillance,” he said. “However, not all of the strong elements of the Parliament's position might survive the negotiations with the EU Council.”
“The Council is currently still extremely split over a number of fundamental issues, such as the one-stop-shop mechanism and the enforcement powers and level of fines,” Hladjk said.
In contrast to the European Parliament, member states in the EU Council have been unable to find common ground on a number of issues and have called for further technical analysis, most recently on the extent to which non-EU companies can be obliged to follow the EU rules, as well as on profiling .
On the one-stop-shop principle, or the principle that a data processor is overseen by the DPA in the EU member state where it has its “main establishment,” EU member states are undecided, and their discussions have been held up by conflicting legal advice (see related report).
Hladjk said that Germany, for example, “is very interested in not losing too much influence with its 16 DPAs in the context of the one-stop-shop system.” In Germany's federal system, each land, or state, has its own DPA.
In addition, “Germany also seems to still reject that the public sector will be covered by the proposal,” Hladjk said.
Cédric Burton, a senior associate at Wilson Sonsini Goodrich& Rosati LLP in Brussels, told Bloomberg BNA March 12 that the “main objective of this vote was to create legacy and put pressure on the other EU institutions, in particular the Council, to move forward with the regulation.”
The vote affirms the position of the European Parliament ahead of European elections in May, meaning that lawmakers in the new Parliament won't have to renegotiate the institution's position.
Future negotiations on the final form of the data protection regulation could be affected by personnel changes among the EU commissioners, or top EU officials, whose term ends in the fall, Burton said. In particular, European Commission Justice Commissioner and Vice-President Viviane Reding, who proposed the data protection reform, might no longer be a commissioner.
The text approved by the Parliament “would significantly affect businesses, and in particular tech companies operating outside of the EU,” Burton said.
He added that “the text gives a broad extra-territorial effect to the regulation, requires companies to obtain data protection authorities' approval before disclosing personal data to foreign regulatory authorities or courts, regulates profiling activities, puts emphasis on accountability, creates new rights for individuals and provides for huge fines in case of violations.”
“However, during the negotiation period with the other institutions changes are expected,” Burton said.
EU member state justice ministers will next meet to discuss the draft regulation in June. The European Commission has said that the EU institutions should aim to finalize the reform by the end of 2014 .
Industry representatives said that the Parliament's position on the data protection reform was overall too restrictive.
Markus J. Beyrer, director general of industry federation BusinessEurope, said in a March 12 statement that the Parliament position “does not strike the appropriate balance and will hamper data-driven innovation.”
John Higgins, director general of DIGITALEUROPE, an industry group representing information technology and electronics companies, such as Apple Inc. and Intel Corp., said in a March 12 statement that because of shortcomings in the Parliament text, “we urge national governments to continue their efforts to find the right balance. This law is too important to rush through.”
The Parliament's version of the draft regulation would “hamper Europe's ability to take advantage of new ways of using data,” the DIGITALEUROPE statement added.
European Digital Rights (EDRi), a privacy campaign group, also expressed concern that the consent provisions of the draft regulation are too weak.
In a March 12 statement, EDRi said that the text was flawed because it would allow the creation of profiles without individual consent if pseudonymous data were used. The text is also flawed because it continues to use a provision in the 1995 Data Protection Directive that allows data processing on the basis of the processor's “legitimate interest” without specific consent, EDRi added.
Meanwhile, Parliament approved a nonbinding resolution offered by LIBE regarding possible moves to restrict cross-border transfer of personal data in light of concerns about government surveillance and companies sharing data with government investigators (see related report).
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Katie W. Johnson at email@example.com
The text on the draft EU data protection regulation adopted by the European Parliament is available on page 25 of “Texts Adopted, Part 1 at the sitting of Wednesday 12 March 2014” available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+20140312+SIT-01+DOC+WORD+V0//EN&language=EN.
The draft directive on the processing of data by law enforcement authorities is available on page 220 of “Texts Adopted, Part 1 at the sitting of Wednesday 12 March 2014” available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+20140312+SIT-01+DOC+WORD+V0//EN&language=EN.
To view additional stories from Privacy & Security Law Report® register for a free trial now