The European Commission published a memo on 12 March 2014 declaring that the draft EU Data Protection Regulation (the Regulation) is now "irreversible" after the European Parliament voted overwhelmingly in favour of the Regulation with 621 votes in favour, 10 against and 22 abstentions.
The positive headline masks the fact that the European Parliament's plenary vote is generally a formality. The Regulation proved to be a contentious piece of legislation; it had the second-highest number amendments ever, after the EU's seven-year budget.
But what's all the fuss about?
The Regulation, which was published on 25 January 2012, is the cornerstone of Europe's reforms relating to the digital economy being closely followed by the draft Cyber Security Directive (the Directive) which we discussed in our previous alert.
The Regulation proposes a comprehensive reform of the EU's 1995 data protection rules to strengthen online data protection and boost Europe's digital economy.
The European Commission believes data is the currency of today's digital economy, stating that the value of European citizens' personal data has the potential to grow to nearly €1 trillion annually by 2020. Accordingly, strengthening Europe's high standards of data protection is both a necessity to protect the rights of European citizens and a business opportunity.
The Regulation is set to bring in many new reforms, a number of which have been hotly debated over the last two years. During that period some of the proposed reforms have changed substantially although the fundamental principles behind the Regulation remain intact.
What does the European Parliament want the Regulation to look like?
The Regulation's key proposals are summarised in a video we recorded shortly after the draft Regulation was issued in 2012.
On the whole, the European Parliament has reinforced the data protection law changes proposed by the European Commission in its 2012 draft, including:
- a tougher regime for obtaining consent and increased circumstances when consent is needed (e.g. profiling activities and use of children's data);
- more privacy notice information to be given; and
- new rights, such as the right to be forgotten and portability of data.
The version of the Regulation approved by the European Parliament (the press release links to the consolidated draft of the Regulation issued in October 2013 and so we assume that this is the approved draft) contains a number of changes to the original draft Regulation. Below we summarise the changes the European Parliament has proposed to what the European Commission calls the four 'pillars' of the Regulation.
Pillar one: One continent one law
The European Commission's biggest change is to replace the 1995 Data Protection Directive (the Directive), which each member state implemented separately, with the Regulation which will be directly applicable in all member states. The main reason for this change? Not all provisions of the Directive were implemented uniformly throughout the member states, which has created a patchwork of legislation across Europe.
When speaking at a press conference on 4 March 2014, the EU Commissioner, Viviane Reding, explained that the one continent one law principle is "at the heart of the data protection reform". All businesses doing business in Europe will need to comply with the European law.
The European Parliament adopted this principle without making any changes to the European Commission's original proposal. The European Parliament did however propose changes to the fines that can be imposed under the Regulation.
The European Parliament extended the powers of the data protection regulators (in the UK this is the Information Commissioner's Office) by increasing the fines the regulator has the power to levy from the greater of €1,000,000 or 2% of annual worldwide turnover, up to €100,000,000 or 5% of annual worldwide turnover. These new levels dwarf the Information Commissioner's Office's existing powers which allow comparatively paltry right to levy fines up to £500,000.
Pillar two: Compliance of data processors and non-European companies?
The Directive only applies to the data processing activities of a data controller (being the person that determines how and why the personal data is processed) established in the EU. Parts of the Regulation (such as security requirements and data transfer requirements) apply directly to data processors (i.e., entities that process personal data on behalf of the data controller).
The Regulation brings non-European businesses into scope. For the first time, data controllers not established in the EU will be required to comply with EU data protection law where the processing relates to offering goods or services to European citizens or monitoring behaviour of European citizens. The European Parliament extended this to any monitoring (not just monitoring behaviour) of European citizens.
This requirement is closely linked to the principle of one continent one law. During the speech referred to above, Viviane Reding commented that the Regulation is needed to "create a level playing field between European and non-European businesses".
The European Parliament ratified this principle and amended the Regulation to make it abundantly clear that the Regulation will also apply to non-European businesses that seek to exploit the European market.
A key change introduced by the European Parliament is to make 'producers' subject to the Regulation. These are essentially providers of automated systems (i.e. IT providers). Producers must ensure their systems enable customers to comply with their obligations under the Regulations e.g. 'privacy by design' to be part of system design.
Pillar three: The rights of data subjects: The right to be forgotten and erasure
As was the case in the European Commission's draft of the Regulation, the European Parliament's proposal strengthens the rights of EU citizens by giving them the right, in certain circumstances, to require data controllers to delete their personal data and in some cases automatically delete personal data (e.g. when the stated data retention period expires).
Unsurprisingly this proposal was not well received by all. Businesses whose offering is online and dependent on processing large quantities of data (such as providers of e-commerce platforms, social networks, application stores and internet payment gateways) complained that the right was disproportionate to the changes they would need to implement and the costs they would incur doing so.
Those who had hoped the European Parliament would reduce the scope of this right will be disappointed to learn that the European Parliament voted to expand the data controller's obligations by clarifying that, where appropriate, the data controller may need to engage third parties to erase the individual's data. For example, where the data controller has shared the data with third parties.
Pillar four: One-stop-shop
The fourth principle of the Regulation is the appointment of a lead authority to govern the compliance of every company operating in the European single market. This is a fresh approach to the current position in which 28 authorities operate; each independently enforcing laws within their member state.
Under the new proposal, where an organisation is established in more than one member state or the personal data of individuals from several member states is processed, a lead authority (one of the 28) will be chosen to supervise that organisation. In practice, this means that every company operating in the European single market will only have to deal with one supervisory authority.
The European Parliament approved this proposal without making any material changes to the original draft Regulation.
To become law, the Regulation must also be approved by European Council which is comprised of ministers of the EU member states.
The Regulation has repeatedly been discussed at European Council meetings. Most recently in October 2013 the European Council reached agreement in principle on the "one-stop shop". Further, on 25 October European heads of state and government committed to timely adoption of the new data protection reform.
The European Council's next meeting takes place in June 2014 and many now expect the Regulation to be finalised by the end of 2014 and effective in 2016.