The European Parliament has proposed a new legal framework for data protection in the European Union (“New Data Protection Regulation”). The New Data Protection Regulation will require companies to increase their efforts in complying with EU data protection laws and impose severe sanctions for violations. Companies will therefore be required to extensively re-visit their compliance programs.
The purpose of the New Data Protection Regulation is to:
- increase the harmonization level of the data protection regimes in the EU;
- increase penalties for violations; and
- implement higher levels of protection for data subjects.
Harmonization of the Data Protection Regimes
The current EU Directive on Data Protection (95/46/EC), dating from 1995, grants the 28 Member States with broad discretion in the implementation of minimal standards. This results in different levels of protection within the Member States of the European Union.
The New Data Protection Regulation will have binding effect on all Member States, excepting pre-defined limited circumstances (e.g. data protection for employees, etc.).
The level of sanctions for the violation of data protection laws will be increased substantially and, indeed, come close to those imposed for anti-trust infringements. Fines may be levied of up to EUR 100 million or up to 5% of the annual worldwide turnover of the relevant company, whichever is greater. Currently, the fines are fairly limited and vary within each Member State (e.g. Germany: EUR 300,000).
Substantial New Restrictions
The New Data Protection Regulation proposes substantial new restrictions:
- European Data Protection Supervision. A new EU supervising authority will be established, which will actively monitor compliance with the New Data Protection Regulation;
- Data Transfer Outside the EU. Transferring personal data of EU citizens shall only be permissible if an explicit legal basis for such transfer exists/is evident (e.g. Safe Harbor – USA). While this is not entirely new, transferring personal data outside the EU shall require — in addition to the legal justification — the consent of the competent data protection authorities for the relevant company.
- Express Consent Required. Without the consent of the data subjects, a company may process or transfer personal data only according to pre-defined “limited” circumstances. In addition, companies may not create user profiles if this has not been expressly allowed by the data subjects.
- More Controllers. In the future, any company doing business in the EU must appoint a data protection officer if it processes data of more than 5,000 persons. Currently, this requirement is connected to the number of personnel employed at the relevant company.
- Easier Deletion Rights. Data subjects shall have the right to request information on collection of their data and to request the deletion of their data more easily.
- Review of Safe Harbor Framework. It is proposed that the current Safe Harbor framework between the EU and the US is being reviewed to confirm whether data transfer to the US can still be regarded as justified. This seems to be another reaction of the EU Parliament to the monitoring affairs in connection with the US Foreign Intelligence Surveillance Act.
Further Legislative Procedure
The New Data Protection Regulation has not yet been enacted and is still only a proposal to the EU Commission and the Council of Ministers of the European Union (“EU Council”). The New Data Protection Regulation will be discussed by, and negotiated between, these European institutions prior to the final approval by the EU Council. Further amendments to the proposal of the European Parliament are expected.