After a broad consensus was reached between EU political parties, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) has voted overwhelmingly in favour of a draft data protection regulation (the “Regulation”), which means the Regulation will move on to the next stage in the legislative process. The EU Parliament now has a mandate for negotiations with the Council and will work towards reaching a common agreement.
The LIBE draft, which will form the basis of those negotiations, includes a number of important changes to the previous patchwork of EU data protection laws. These include:
- A user’s “right of erasure” of personal data from the internet, which can in practice be exercised against firms like Google or Facebook, who must then forward this request to others where the data are copied;
- Transfers to third country authorities, such as the NSA, can only occur under European Law or an agreement based on European Law;
- Personal data will be defined as information that can be directly or indirectly linked to a person or used to single a person out from a larger group;
- A right of users to understandable information on how their own data are processed both while it is processed and as a basis of informed consent to the processing;
- A requirement for users to opt-in to processing not necessary for the provision of a service. Organisations must also inform users whether data is retained longer than necessary for specific, identified purposes;
- Privacy by design whereby data processors will be required to design their systems in a way that uses the minimum data needed for the provision of a service and with the most data-protection orientated settings as default;
- Data protection officers will be mandatory within organisations depending on the number of people whose personal data are processed;
- A “one-stop-shop” approach to enforcement, whereby citizens can go to their national authority for complaints covering breaches anywhere in the EU, while companies need only deal with the authority of their main country of establishment. A new European Data Protection Board will hear appeals and make final decisions to ensure harmonisation of enforcement; and
- Fines of up to 5% of global turnover for organisations for non-compliance with the Regulation.
In its passage through LIBE, over 4,000 amendments were made to the original draft Regulation first conceived in January 2012. The task of aligning the national interests of 28 member states represented on the Council will likely mean that many more changes will be made before the Regulation is adopted.
Inter-institutional talks will begin when the Council sets it own negotiating position.