On March 12 2014, the European Parliament formally approved a new draft Data Protection Regulation. The support was overwhelming, with 621 Members voting for the Regulation with only 10 against and 22 abstaining.
Proposed reforms to the EU Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC) were first published in January 2012 as part of the European Commission’s efforts to modernise data protection rights and procedures. These efforts have since been delayed due to opposing views on tighter data protection rules between those who consider them a necessity and those who feel over-regulation would harm business interests.
The much needed EU stimulus certainly results from the disclosure of the US government’s vast electronic data spying program last year. In reaction to the European Parliament vote, Vice-President Vivian Reding, the EU’s Justice Commissioner, explicitly referred to the scandal by declaring data protection to be “more than ever a competitive advantage” for Europe.
The main provisions of the reform, which would lead to a major overhaul of the current data protection framework, can be summarized as follows:
- One continent, one law: the Regulation would establish a single law for all Member States instead of the current 28 sets of rules that can vary greatly from one jurisdiction to another;
- Widened territorial scope: non-European companies would have to apply the EU data protection law in full when offering goods and services to European consumers, whereas today European companies must comply with stricter standards of data protection than businesses located outside the EU;
- Reduced formalities: the Regulation would establish a “one-stop-shop” for businesses, meaning that EU companies operating in various Member States would only have to deal with the data protection authority of their main country of establishment, making it simpler and cheaper for companies to do business in the EU. Also, the Regulation reduces costs and red tape for small and medium enterprises, notably by exempting them from (i) notification requirements with data protection authorities and (ii) the obligation to appoint a data protection officer when data processing is not the core business activity of the enterprise;
- Greater user protection: user consent, whenever required for data to be processed, must be explicit and not assumed. Also, users must be guaranteed a “right to be forgotten” enabling them to request the deletion of their data whenever they no longer want their data to be processed and there are no legitimate grounds to retain them. Another essential provision of the Regulation would require businesses to design their systems in a way that uses the minimum data needed for the provision of a service and with the most privacy-friendly settings as default settings;
- Increased fines: in case of non-compliance with the Regulation, fines up to €100 million or 5% of the company’s turnover, whichever is higher, may be imposed by data protection authorities.
Although there is widespread support for the proposed new data protection framework from the EU commission, the European Parliament, and from consumer groups, there are hurdles looming ahead. In particular, the business community feels the new set of rules will be too cumbersome on business operations, therefore putting Europe at a disadvantage in the competitive area of new technologies.
More importantly, the draft Regulation, in order to become law and thus be enforceable must be adopted by the European Council, which brings together the 28 Member States (using the ordinary legislative procedure, also known as co-decision). Negotiations between the European Council and the European Parliament are expected to begin in June 2014, with Member States still far from agreeing to the same approach.