European Parliament Panel OKs Regulation On Data Protection After Major Changes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Oct. 22 --International companies operating in the European Union would face stricter rules on transfer of their customers' data outside the bloc and potential multimillion dollar fines for noncompliance under an amended version of the draft EU data protection regulation approved by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) late Oct. 21.

But lawmakers on the committee, sitting in Strasbourg, France, made other changes that modified requirements that would have posed new compliance requirements on companies, including removing a provision that would have required companies to provide data breach notification within 24 hours after discovering a breach.

Jörg Hladjk of Hunton & Williams LLP, in Brussels, told Bloomberg BNA Oct. 22 that the committee had introduced some “radical changes” to the proposed regulation.

In particular, the committee put in place a “very significant” modification by requiring the appointment of data protection officers by all data processors that process the personal data of more than 5,000 data subjects per year, Hladjk said. The amendment struck a commission proposal that the requirement to appoint a data protection officer should not apply to companies with fewer than 250 employees.

LIBE also approved a new provision to introduce a European data protection trust seal to certify data controllers that qualify as being in full compliance with the regulation. A European data protection seal to demonstrate compliance with the regulation would potentially be “useful for companies,” Hladjk said.

91 Amendments

In total, LIBE approved 91 amendments that make changes to most of the text of the original draft regulation proposed by the European Commission, the EU's executive arm, in January 2012 (11 PVLR 178, 1/30/12). The data protection regulation is designed to replace the 1995 EU Data Protection Directive (95/46/EC).

The committee vote came six months after it was initially scheduled for April. The vote was postponed several times, most recently to process proposed amendments and consider how the U.S. National Security Agency's PRISM Internet surveillance program might affect the legislation .

The 91 adopted amendments were a distillation of more than 3,000 amendments submitted to the European Parliament's lead negotiator, or rapporteur, German Green lawmaker Jan Philipp Albrecht .

The amended regulation asserts that the EU would retain jurisdiction over personal data processing regardless of where the data are processed. The committee “voted to make clear that it is exclusively EU law that applies to EU citizens' private data online, regardless of where the business processing their data” is located, Albrecht said in an Oct. 21 statement.

Fines, Consent

The committee adopted an amendment raising the maximum fines for companies found to be in violation of the new regulation. The commission proposed a maximum fine of 1 million euros ($1.4 million), or 2 percent of a company's annual worldwide revenue.

Under the approved amendment, companies would face a maximum fine of 100 million euros ($137 million), or 5 percent of a company's annual worldwide revenue.


Companies would face a maximum fine of 100 million euros ($137 million), or 5 percent of a company's annual worldwide revenue.  

On the power of data protection authorities to levy fines, Hladjk said that the committee had introduced a list of criteria that should be taken into account when deciding on the level of fines, rather than the more detailed list of situations in which fines could be imposed, and related levels of fines, that was put forward by the commission.

This was a “big surprise to many people,” Hladjk said, adding that the civil liberties committee had also introduced a right for data subjects to seek compensation for unlawful processing of their data.

The committee adopted stricter rules on consent. LIBE added provisions that “it shall be as easy to withdraw consent as to give it,” and that profiling should only be allowed subject to the consent of data subjects.

LIBE also changed the right to be forgotten principle proposed by the commission to become a “right to erasure of data” upon the request of the data subject.

Government Surveillance

One change adopted by the committee directly addressed privacy concerns related to government surveillance.

LIBE adopted a requirement for companies operating in the EU to obtain permission from a national data protection authority before transferring the personal information of EU customers outside the EU in response to a request from a non-EU government.

In addition, the committee introduced a provision obliging the data processor or controller to inform the data subject of any such request.

Albrecht, speaking to journalists Oct. 22, said that the provisions on data transfers in response to third-country requests had gained general support within the European Parliament in the wake of leaks of classified data by NSA contractor Edward Snowden.

The leaks showed that “there is a problem of noncompliance, especially of big IT companies coming from outside the European market. We needed to answer that,” Albrecht said.

The leaks by NSA contractor Edward Snowden showed that “there is a problem of noncompliance, especially of big IT companies coming from outside the European market. We needed to answer that.”  
Jan Philipp Albrecht, European Parliament Rapporteur,
EU Data Protection Regulation

Karin Retzer, a partner at Morrison & Foerster LLP, in Brussels, told Bloomberg BNA Oct. 22 that Snowden's revelations had “changed the political support for the regulation,” with European politicians putting greater emphasis on the protection of the data rights of EU citizens.

However, the requirement for companies to seek the approval of an EU national data protection supervisor before responding to a third-country request is “basically impossible” in practice, she added.

“It takes two years to get authorization in Austria, for example,” which would likely clash with deadlines imposed by requesting governments, Retzer said.

Problems of slow procedures in European DPAs are commonly due to a lack of resources, and will not be resolved by new procedures put in place by the EU data protection regulation, she said.

Meanwhile, in an Oct. 24 press conference, European Parliament President Martin Schulz said the U.S.-EU Transatlantic Trade and Investment Partnership negotiations should be suspended until allegations of spying by the NSA on EU governments and institutions are clarified.

In an Oct. 24 speech to the European Council, Schulz said the European Parliament is “calling for the exchange of bank data with the Americans to be temporarily suspended” (see related report).

“Only when people are confident that their data are safe and cannot be diverted for another purpose will they actually take advantage of the opportunities offered by a digital single market. Even before the revelations about the NSA scandal, 70% of European citizens were worried about the lack of data protection on the internet!,” Schulz said.

Next Steps

The committee's approval of the draft regulation was a preparatory step that sets out the position of the European Parliament on the data protection reform ahead of negotiations on the final legislation with the EU Council, which represents the governments of EU member states.

LIBE voted 51-1, with 3 abstentions, for Albrecht to start negotiations directly with the EU Council, with the objective of reaching an agreement that the full European Parliament could vote on in April 2014.

Albrecht said that the aim was to finalize the data protection reform before European Parliament elections in May 2014.

Albrecht said in his Oct. 21 statement that EU leaders, who will meet in Brussels Oct. 24-25, should “give a clear signal” in favor of quickly finalizing the regulation, ahead of a meeting of EU justice ministers Dec. 5-6, at which the draft regulation will be discussed.

Lawmakers, Privacy Advisers Support Revision

Lawmakers stressed that the version of the draft data protection regulation approved by the civil liberties committee had widespread backing within the European Parliament, and that this should be taken into account in finalizing it.

German center-right member of the European Parliament Axel Voss said in a statement Oct. 22 that the approved text was a “major step forward compared to the present directive.”

The change of the rule obliging companies processing the personal data of more than 5,000 data subjects per year to appoint a data protection officer would mean that the “reporting and information requirements of an enterprise will depend on the actual risk in relation to the data processing,” rather than on company size, Voss said.

Sarah Ludford, a U.K. liberal lawmaker, said in an Oct. 21 statement that the committee had approved a “balanced text” that makes “obligations on data controllers less process-based and more risk-based,” and includes “strict safeguards against unwarranted surveillance and on the possibility of tough sanctions for rule-breakers.”

European Data Protection Supervisor Peter Hustinx and Jacob Kohnstam, chairman of the Article 29 Working Party, the European Commission's official data protection advisory body, Oct. 22 issued separate statements expressing support for the LIBE action in moving forward on the proposed data protection regulation.

German Federal Commissioner for Data Protection and Freedom of Information Peter Schaar Oct. 22 issued a statement calling on the German government to support the amended proposed regulation. “I hope that the governments of the 28 EU Member States represented in the Council conceive this as an opportunity to decide rapidly the reform of data protection,” he said.

European Parliament President Schulz Oct. 24 told the European Council--which defines the general political direction and priorities of the EU but is not part of the official decisionmaking process for the proposed regulation and is distinct from the EU Council--LIBE's “overwhelming majority” vote in favor of the amended regulation “is a powerful signal from Parliament in support of data protection.”

But EU business federation BusinessEurope said in a statement Oct. 22 that the version of the regulation backed by the civil liberties committee risked damaging the “data-driven economy” because it “adds administrative burdens for companies and creates obstacles to the process and transfer of personal data, on which the digital economy is based.”

Law Enforcement Directive Approved

Also Oct. 21, LIBE approved an amended draft directive on the processing of data by law enforcement authorities.

The draft directive was introduced by the European Commission in January 2012 at the same time it unveiled the proposed data protection regulation .

Dimitrios Droutsas, the Greek center-left lawmaker who is the European Parliament rapporteur for the directive, said that he and Albrecht would seek to negotiate with the EU Council on the regulation and directive as a package.

Speaking to reporters Oct. 22 Droutsas added that a stricter approach to enforcement of EU data protection rules are needed for international companies “because they are the ones that can play and do nasty things with personal data.”

Robust rules on data transfers outside the EU are needed because “we are now in a new era regarding data protection, we are in the post-PRISM or post-Snowden era,” Droutsas said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at

Amendments 1-29 to the proposed EU data protection regulation adopted by LIBE are available at

Amendments 30-91 are available at

The adopted amendments to the draft directive on the processing of data by law enforcement authorities are available at

Request Bloomberg Law: Privacy & Data Security