Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 22 --International companies operating in the European Union would face stricter rules on transfer of their customers' data outside the bloc and potential multimillion dollar fines for noncompliance under an amended version of the draft EU data protection regulation approved by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) late Oct. 21.
But lawmakers on the committee, sitting in Strasbourg, France, made other changes that modified requirements that would have posed new compliance requirements on companies, including removing a provision that would have required companies to provide data breach notification within 24 hours after discovering a breach.
Jörg Hladjk of Hunton & Williams LLP, in Brussels, told Bloomberg BNA Oct. 22 that the committee had introduced some “radical changes” to the proposed regulation.
In particular, the committee put in place a “very significant” modification by requiring the appointment of data protection officers by all data processors that process the personal data of more than 5,000 data subjects per year, Hladjk said. The amendment struck a commission proposal that the requirement to appoint a data protection officer should not apply to companies with fewer than 250 employees.
LIBE also approved a new provision to introduce a European data protection trust seal to certify data controllers that qualify as being in full compliance with the regulation. A European data protection seal to demonstrate compliance with the regulation would potentially be “useful for companies,” Hladjk said.
In total, LIBE approved 91 amendments that make changes to most of the text of the original draft regulation proposed by the European Commission, the EU's executive arm, in January 2012 (11 PVLR 178, 1/30/12). The data protection regulation is designed to replace the 1995 EU Data Protection Directive (95/46/EC).
The committee vote came six months after it was initially scheduled for April. The vote was postponed several times, most recently to process proposed amendments and consider how the U.S. National Security Agency's PRISM Internet surveillance program might affect the legislation .
The 91 adopted amendments were a distillation of more than 3,000 amendments submitted to the European Parliament's lead negotiator, or rapporteur, German Green lawmaker Jan Philipp Albrecht .
The amended regulation asserts that the EU would retain jurisdiction over personal data processing regardless of where the data are processed. The committee “voted to make clear that it is exclusively EU law that applies to EU citizens' private data online, regardless of where the business processing their data” is located, Albrecht said in an Oct. 21 statement.
The committee adopted an amendment raising the maximum fines for companies found to be in violation of the new regulation. The commission proposed a maximum fine of 1 million euros ($1.4 million), or 2 percent of a company's annual worldwide revenue.
Under the approved amendment, companies would face a maximum fine of 100 million euros ($137 million), or 5 percent of a company's annual worldwide revenue.
On the power of data protection authorities to levy fines, Hladjk said that the committee had introduced a list of criteria that should be taken into account when deciding on the level of fines, rather than the more detailed list of situations in which fines could be imposed, and related levels of fines, that was put forward by the commission.
This was a “big surprise to many people,” Hladjk said, adding that the civil liberties committee had also introduced a right for data subjects to seek compensation for unlawful processing of their data.
The committee adopted stricter rules on consent. LIBE added provisions that “it shall be as easy to withdraw consent as to give it,” and that profiling should only be allowed subject to the consent of data subjects.
LIBE also changed the right to be forgotten principle proposed by the commission to become a “right to erasure of data” upon the request of the data subject.
One change adopted by the committee directly addressed privacy concerns related to government surveillance.
LIBE adopted a requirement for companies operating in the EU to obtain permission from a national data protection authority before transferring the personal information of EU customers outside the EU in response to a request from a non-EU government.
In addition, the committee introduced a provision obliging the data processor or controller to inform the data subject of any such request.
Albrecht, speaking to journalists Oct. 22, said that the provisions on data transfers in response to third-country requests had gained general support within the European Parliament in the wake of leaks of classified data by NSA contractor Edward Snowden.
The leaks showed that “there is a problem of noncompliance, especially of big IT companies coming from outside the European market. We needed to answer that,” Albrecht said.
Karin Retzer, a partner at Morrison & Foerster LLP, in Brussels, told Bloomberg BNA Oct. 22 that Snowden's revelations had “changed the political support for the regulation,” with European politicians putting greater emphasis on the protection of the data rights of EU citizens.
However, the requirement for companies to seek the approval of an EU national data protection supervisor before responding to a third-country request is “basically impossible” in practice, she added.
“It takes two years to get authorization in Austria, for example,” which would likely clash with deadlines imposed by requesting governments, Retzer said.
Problems of slow procedures in European DPAs are commonly due to a lack of resources, and will not be resolved by new procedures put in place by the EU data protection regulation, she said.
Meanwhile, in an Oct. 24 press conference, European Parliament President Martin Schulz said the U.S.-EU Transatlantic Trade and Investment Partnership negotiations should be suspended until allegations of spying by the NSA on EU governments and institutions are clarified.
In an Oct. 24 speech to the European Council, Schulz said the European Parliament is “calling for the exchange of bank data with the Americans to be temporarily suspended” (see related report).
“Only when people are confident that their data are safe and cannot be diverted for another purpose will they actually take advantage of the opportunities offered by a digital single market. Even before the revelations about the NSA scandal, 70% of European citizens were worried about the lack of data protection on the internet!,” Schulz said.
The committee's approval of the draft regulation was a preparatory step that sets out the position of the European Parliament on the data protection reform ahead of negotiations on the final legislation with the EU Council, which represents the governments of EU member states.
LIBE voted 51-1, with 3 abstentions, for Albrecht to start negotiations directly with the EU Council, with the objective of reaching an agreement that the full European Parliament could vote on in April 2014.
Albrecht said that the aim was to finalize the data protection reform before European Parliament elections in May 2014.
Albrecht said in his Oct. 21 statement that EU leaders, who will meet in Brussels Oct. 24-25, should “give a clear signal” in favor of quickly finalizing the regulation, ahead of a meeting of EU justice ministers Dec. 5-6, at which the draft regulation will be discussed.
Lawmakers stressed that the version of the draft data protection regulation approved by the civil liberties committee had widespread backing within the European Parliament, and that this should be taken into account in finalizing it.
German center-right member of the European Parliament Axel Voss said in a statement Oct. 22 that the approved text was a “major step forward compared to the present directive.”
The change of the rule obliging companies processing the personal data of more than 5,000 data subjects per year to appoint a data protection officer would mean that the “reporting and information requirements of an enterprise will depend on the actual risk in relation to the data processing,” rather than on company size, Voss said.
Sarah Ludford, a U.K. liberal lawmaker, said in an Oct. 21 statement that the committee had approved a “balanced text” that makes “obligations on data controllers less process-based and more risk-based,” and includes “strict safeguards against unwarranted surveillance and on the possibility of tough sanctions for rule-breakers.”
European Data Protection Supervisor Peter Hustinx and Jacob Kohnstam, chairman of the Article 29 Working Party, the European Commission's official data protection advisory body, Oct. 22 issued separate statements expressing support for the LIBE action in moving forward on the proposed data protection regulation.
German Federal Commissioner for Data Protection and Freedom of Information Peter Schaar Oct. 22 issued a statement calling on the German government to support the amended proposed regulation. “I hope that the governments of the 28 EU Member States represented in the Council conceive this as an opportunity to decide rapidly the reform of data protection,” he said.
European Parliament President Schulz Oct. 24 told the European Council--which defines the general political direction and priorities of the EU but is not part of the official decisionmaking process for the proposed regulation and is distinct from the EU Council--LIBE's “overwhelming majority” vote in favor of the amended regulation “is a powerful signal from Parliament in support of data protection.”
But EU business federation BusinessEurope said in a statement Oct. 22 that the version of the regulation backed by the civil liberties committee risked damaging the “data-driven economy” because it “adds administrative burdens for companies and creates obstacles to the process and transfer of personal data, on which the digital economy is based.”
Also Oct. 21, LIBE approved an amended draft directive on the processing of data by law enforcement authorities.
The draft directive was introduced by the European Commission in January 2012 at the same time it unveiled the proposed data protection regulation .
Dimitrios Droutsas, the Greek center-left lawmaker who is the European Parliament rapporteur for the directive, said that he and Albrecht would seek to negotiate with the EU Council on the regulation and directive as a package.
Speaking to reporters Oct. 22 Droutsas added that a stricter approach to enforcement of EU data protection rules are needed for international companies “because they are the ones that can play and do nasty things with personal data.”
Robust rules on data transfers outside the EU are needed because “we are now in a new era regarding data protection, we are in the post-PRISM or post-Snowden era,” Droutsas said.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor on this story: Donald G. Aplin at email@example.com
Amendments 1-29 to the proposed EU data protection regulation adopted by LIBE are available at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-29/comp_am_art_01-29en.pdf.
Amendments 30-91 are available at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_30-91/comp_am_art_30-91en.pdf.
The adopted amendments to the draft directive on the processing of data by law enforcement authorities are available at http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/comp_am_art_01-64/comp_am_art_01-64en.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)