On 12 March 2014, the European Parliament (“Parliament”) voted overwhelmingly in favour of adopting the proposed General Data Protection Regulation (“Regulation”) in the form recommended by its LIBE Committee in October 2013 and in doing so moved the process

for reforming the European Union (“EU”) data protection framework a step closer to becoming reality.

No going back

Coming ahead of the Parliament elections in May 2014, the vote is important because it ensures that Parliament’s position on the reforms will not shift even if the elections result in changes to its composition.

The Regulation as proposed seeks to strike a balance between increasing the protection offered to EU citizens in relation to their personal data and simplifying the rules for businesses operating within the EU single market. This objective was endorsed by the EU Justice Commissioner Viviane Reding, who commented that:

the message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible. Europe’s directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens”.

Proposals for reforming the current EU framework established under the Data Protection Directive (95/46/EC) were first published by the European Commission (“Commission”) in January 2012 (“Original Text”). Progress has been slow, in large part due to intense lobbying by the private sector and the contrasting views of Member States on the appropriate balance to be struck between protecting individuals and accommodating business concerns.

Political pressure to expedite the data protection reforms has however intensified considerably following the revelations in June 2013 made by Edward Snowden (a former contractor with the National Security Agency) regarding the mass surveillance of EU citizens undertaken by US authorities.

The road ahead

To become law, the Council of the EU (“Council”) and Parliament must now negotiate and agree on the final form of the proposed Regulation.

This final step is likely to be challenging as Member States remain divided on many key aspects of the Regulation; whereas the Council’s draft amendments to the Original Text in May 2013 moved significantly toward accommodating business concerns, following the Edward Snowden revelations EU sentiment has swung firmly back to prioritising the protection of individuals. This is evidenced by the Regulation text approved by Parliament (for a summary of which see our previous Lexology article), which not only retains much of the Original Text but in certain key respects (notably, sanctions for non-compliance) seeks to impose even more onerous obligations on businesses.

Given the political pressure to reach agreement on the Regulation as soon as possible, the road ahead promises intense negotiations and compromise required of both sides.

Link to European Parliament press release: http://www.europarl.europa.eu/news/en/news-room/content/20131021IPR22706/html/Civil-Liberties-MEPs-pave-the-way-for-stronger-data-protection-in-the-EU