The European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee recently voted to approve amendments to a draft regulation that will aim to update and harmonize the European Union’s data protection regime. Currently, data protection rules are set out in a 1995 Directive (Directive 95/46/EC). The reforms aim to update the legislation and improve the level of EU harmonization in this area by addressing that fact that the 1995 Directive tends to be implemented and interpreted differently in different EU Member States. The draft legislation and amendments are available here and here. Among the modifications, the regulation would apply to companies with an establishment in the EU, even if the data processing is done outside the EU and would also apply to the processing of EU consumer data, even where the company has no establishment in the EU. The draft regulations also impose restrictions on the extent to which companies can rely on individuals’ consent to the processing of their personal data. The draft also includes a requirement to notify the relevant supervisory authority “without undue delay” when there has been a breach of personal information (this is a relaxation of the requirement in the previous draft which had stated that such breaches should be notified within 24 hours). The draft also provides for companies to request a “European Data Protection Seal,” a certification that confirms that its personal data processing is carried out in compliance with the legislation. Obtaining such a certification would guarantee companies immunity from fines except in cases of intentional or negligent non-compliance. The draft also provides for penalties in the event of violations of up to 100 000 000 EUR or up to 5% of the annual worldwide turnover of an enterprise, whichever is greater.
TIP: While there are still many steps left before the draft regulations are finalized, the changes the LIBE Committee recently voted on demonstrate general European privacy concerns including notifications in the event of a data breach and restrictions on consent as a basis for data transfers. Companies with a base in the EU, and those outside the EU that process EU consumer data, should keep these concerns in mind when developing current practices, and monitor the progress of the draft legislation. (The progress of the legislation can be followed here.)