EU Parliament Finalizes Landmark Data Privacy Reg

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

April 14 — The European Parliament April 14 approved the landmark European Union General Data Protection Regulation (GDPR), bringing the possibility of huge enforcement fines and stricter data subject consent and data breach notification requirements to the EU.

The Parliament action brings to a close an over four-year process to update the decades old privacy regime in the EU. The other branches of the EU government have already approved the long awaited change to replace the 1995 EU Data Protection Directive (95/46/EC).

The regulation is likely to be published in the EU Official Journal in May, and would therefore apply across the EU in May 2018, following a two-year transition period. It is intended to bring stronger EU-wide harmonization of privacy and data security rules and enforcement than the Data Protection Directive.

The GDPR will “give users back the right to decide on their own private data,” including by strengthening rules on data subject consent and on processing of sensitive data, Jan Philipp Albrecht, the German Green lawmaker who steered the GDPR through the European Parliament, said in an April 14 statement. The regulation will also levy fines of up to 4 percent of global income on noncompliant data controllers, he added.

The European Parliament also approved the companion law to the GDPR, a directive on the processing of data in the context of law enforcement. The approval of the GDPR and the law enforcement directive was a formality not requiring a vote.

“These new laws will ensure that the fundamental right to personal data protection is upheld for all European citizens,” European Commission First Vice-President Frans Timmermans, Vice-President for the Digital Single Market Andrus Ansip and Commissioner for Justice, Consumers and Gender Equality Vera Jourov́a said in an April 14 joint statement. In addition the GDPR and Law Enforcement Directive “will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and certainty for businesses,” the officials said.

The laws were agreed to informally by the Parliament and Council of the EU, which represents the governments of the member states, in December 2015 (14 PVLR 2289, 12/21/15).

EU Privacy Chiefs Guidance

Isabelle Falque-Pierrotin, the chairwoman of the Article 29 Working Party of data protection officials from the 28 EU member states, told Bloomberg BNA April 13 that the group's first guidance on the implementation of the regulation would be issued in September, and would concern the right of data portability—the right of data subjects to request transfers of their data between controllers—introduced by the GDPR.

Other priorities for DPA guidance during the transition period would be rules around the processing of high-risk data, privacy impact assessments, and consistency between DPAs in the oversight of privacy under the GDPR, Falque-Pierrotin said. The workload for DPAs in preparing for the GDPR would be considerable and “we probably won't have everything ready” by the time the regulation takes effect, she said.

Albrecht said April 13 that the regulation would be a “legal framework for the digital age,” and was “a huge step forward for rights in the EU.”

Passenger Name Records

Lawmakers also adopted a directive on the retention of passenger name record (PNR) data by airlines within the EU. There is already in place agreements between the EU and the U.S., and some other countries, to share PNR data for flights with officials in those destination countries.

Designed as a counter-terrorism measure, the PNR Directive will require EU countries to establish systems for airlines flying into and out of the EU to transfer PNR data to law enforcement agencies for security screening. The directive also specifies a data retention period of five years, and sets minimum data protection standards for handling of PNR data, such as a requirement for data to be anonymized after six months.

The GDPR will “give users back the right to decide on their own private data.”

The PNR Directive was first proposed in 2011 (10 PVLR 193, 2/7/11), but was blocked by LIBE in 2013 because of concerns that it would allow excessive collection and retention of personal data (12 PVLR 1070, 6/17/13). The directive was revived after terrorist attacks in Paris in January 2015, and the LIBE committee approved it in December 2015 (14 PVLR 2273, 12/14/15).

Albrecht said in a statement that retention of PNR data was “a placebo at best” that would “undermine the fundamental rights of EU citizens.”

“Instead of mass data collection, there should be targeted surveillance of suspects and risk flights to a defined list of risk destinations,” he said.

Defending Air Data Collection

According to Timothy Kirkhope, a British Conservative lawmaker who was responsible for the PNR directive in the European Parliament, “by collecting, sharing and analyzing PNR information, our intelligence agencies can detect patterns of suspicious behavior to be followed up.”

“There were understandable concerns about the collection and storage of people's data, but I believe that the directive that we have adopted puts in place data safeguards,” Kirkhope said April 14.

Lawmakers have said that the PNR directive could be vulnerable to legal challenge and EU DPAs have criticized the approach as involving a disproportionate level of data collection (14 PVLR 565, 3/30/15).

The European Court of Justice April 2014 invalidated the EU Data Retention Directive, a law that required Internet and telecommunications companies to provide customer data to law enforcement agencies (13 PVLR 660, 4/14/14), similar to the way the PNR directive would require airlines to supply data.

The European Parliament November 2014 refused to ratify an EU-Canada PNR agreement, and referred it to the ECJ for an opinion on whether it represented disproportionate collection and retention of personal data (13 PVLR 2081, 12/8/14). After the PNR directive enters into force, which will be 20 days after its publication in the EU Official Journal, EU countries will have two years during which they must adopt its provisions in their national laws.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

Request Bloomberg Law: Privacy & Data Security