On 21 October 2013, the European Parliament voted in favour of its compromise text of the draft General Data Protection Regulation originally published by the European Commission in January of last year. This compromise text sets out the position of the European Parliament for its future negotiations with the European Commission and the Council of Ministers on the final text of the Regulation.
The European Parliament has largely endorsed the Regulation as originally published, but the compromise text does propose a sizeable number of amendments. The most noteworthy of these amendments are as follows:
- More Punitive Fines: the compromise text proposes fines of up to 5% of an enterprise’s annual worldwide turnover or €100 million (whichever is greater) compared to the European Commission’s proposal for fines of up to 2% of an enterprise’s annual worldwide turnover or €1 million.
- Extended Territorial Scope: the compromise text extends the already broad territorial scope of the Regulation by proposing that EU data protection law should apply to both data controllers and data processors based outside of the EU who process personal data in connection with the provision of services to or monitoring of individuals in the EU. It is also proposed to eliminate the EU residency requirement previously attaching to this provision, which may result in the application of EU data protection law to the processing of personal data of individuals who are temporarily present in the EU.
- Changes to Processing on the Basis of Consent: the compromise text reinforces the requirement that consent to processing must be freely given by providing that a service cannot be made conditional upon user consent to the processing of personal data not necessary for the service. In addition, consent will cease to be a valid basis for the processing of personal data where the purpose for the processing ceases or the processing is no longer necessary to carry out the original purpose.
- Strengthening of Data Subject Rights: the compromise text proposes that data controllers be required to notify data subjects as to whether their personal data was provided to public authorities in the preceding 12 months and also introduces a new Article 10a which summarises the rights provided to data subjects.
- Profiling: the compromise text provides that profiling which results in measures producing legal effects or significantly affecting the data subject is only permissible if (i) necessary to enter or perform a contract in circumstances where suitable measures to protect the individual’s legitimate interests are in place; (ii) expressly provided for by EU or member state law; or (iii) based on consent. Other profiling activity is generally permissible provided that a right to object is highlighted. Profiling based on pseudonymous data (which is defined as data that cannot be attributed to a specific individual without the use of data held separately) falls under the latter category of profiling activity that is generally permissible.
- Data Protection Officers (“DPO”): the compromise text alters the trigger for the appointment of a DPO to the number of people (5,000 or more) whose personal data is processed in any consecutive 12 month period or to instances where an enterprise’s core processing activities relate to processing sensitive personal data, location data, children’s data or employee data in large scale filing systems. The minimum term for a DPO is extended to four years (for employees) or two years (for contractors) and a list of minimum qualifications is inserted (Recital 75a).
- Changes to Breach Notification Framework: the compromise text replaces the 24 hour window to report a personal data breach to the relevant data protection authority with a requirement to notify “without undue delay”.
- European Data Protection Seal and International Transfers: the compromise text introduces a certification programme named the “European Data Protection Seal”. This enables data controllers and processors to have their data processing activities audited and certified by data protection authorities or accredited third parties. Any organisation that holds such a seal may rely upon it to transfer personal data outside of the EEA to a recipient who also holds a valid seal. A seal shall remain valid for up to five years. To encourage certification the compromise text also provides that the holder of a seal who violates the Regulation would only be subject to a fine if the breach was intentional or negligent.
- Restrictions on Transfers: the compromise text prohibits the transfer of personal data pursuant to an order of a court, tribunal or administrative authority of a country that is not deemed “adequate” by the European Commission. For such a transfer to be legitimate, an enterprise would have to notify the national data protection authority of the request without undue delay and obtain its prior authorisation to the transfer.
- Changes to the Right to be Forgotten: the compromise text proposes replacing the European Commission’s proposed “right to be forgotten” with a “right to erasure” but leaves the substance of this right generally intact. The compromise text does include a welcome restriction on the right to erasure by providing that where the relevant type of storage technology does not allow for erasure and has been installed before the entry into force of the Regulation, the enterprise’s obligations extend to a requirement to restrict (as opposed to erase) the requester’s personal data.
- Privacy Notices: The European Parliament proposes that information will be required to be displayed in two ways through a yes/no icon based table and a detailed notice. The compromise text also expands the prescribed contents for detailed notices.
- The next step is for the Council of Ministers to agree on its negotiating position for the Regulation, after which negotiations between the European Parliament, the European Commission and the Council of Ministers will be scheduled to agree on the final form of the Regulation. Although the compromise text represents significant progress towards the adoption of the Regulation, its significance has been somewhat tempered by the consensus emerging from European leaders (following the European Council meeting on 24/25 October) that the adoption of the Regulation may now be more likely to occur in 2015 and not prior to the European Parliamentary elections in May 2014, as previously anticipated.