The European Parliament voted in favour of the European Commission’s data protection reform in a plenary session on 12 March 2014. The support for the regulation was overwhelming with 621 of 653 MEPs voting in favour of the regulation. This vote was an important signal of progress in the data protection reform procedure. The European Parliament gave its strong support for the structure and fundamental principles of the reform. The position of the Parliament is now irreversible and will not change even if the composition of the Parliament changes after the European elections in May.

The Parliament voted on the proposal for a new General Data Protection Regulation that was adopted by the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) in October 2013. The LIBE Committee provided multiple amendments to the original draft regulation prepared by the European Commission in January 2012.

The essential elements of the proposed regulation include:

One continent, one law

  • The regulation will establish a single, pan-European law for data protection. Multinational companies will only have to deal with one EU data protection supervisory authority instead of separate data protection authorities in every EU country where they operate.

Non-European companies will have to comply with the European data protection regulation

  • The regulation not only applies to businesses established in the EU, but also to non-European businesses that offer goods or services to European customers and process their personal data.

Data protection officer

  • Any company processing personal data relating to more than 5,000 data subjects during any successive 12-month period must employ a data protection officer. Appointing a data protection officer is also obligatory if the core activities of the controller or the processor consist of processing special categories of data (such as health information), location data or data on children or employees in large scale filing systems. Further, a data protection officer must be appointed if the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

Data breach notifications

  • Businesses and organisations must without undue delay inform both the authority and, in some cases, individuals of data breaches that could adversely affect them.

Administrative sanctions

  • Data protection authorities will be able to fine companies that do not comply with the rules up to EUR 100,000,000 or 5% of their annual worldwide turnover, whichever is higher.

The proposed data protection regulation will strengthen and harmonise data protection rules in the European Union. The reform will guarantee individuals more control over their personal data and make it easier for companies to operate in the European Union’s single market.

The next step for the new regulation will be approval by the Council of the European Union in June 2014.