On March 12, 2014, the European Parliament resoundingly voted for the EU General Data Protection Regulation ("Regulation") proposed by the EU Commission on January 25, 2012. The Parliament largely backed the report on and proposed amendments to the Regulation that the Committee for Civil Liberties, Justice and Home Affairs ("LIBE") of the European Parliament adopted in October 2013. The Regulation as amended by the LIBE Committee could seriously affect companies operating in the EU. It requires inter alia:
Antitrust-Like Fines. The Regulation increases the fining powers of authorities, such that fines can go up to the higher of €100 million or 5 percent of annual worldwide turnover (i.e., sales) in the case of an enterprise, instead of €1 million or 2 percent of annual worldwide turnover as proposed by the Commission.
Extended Territorial Scope. The Regulation would be applicable to a controller not established in the EU when its processing activities are related to either offering goods or services to individuals in the EU (irrespective of whether payment is required) or monitoring individuals in the EU.
Limitation on Legal Process Outside the EU. The Parliament added a provision stating that no third-country court judgment or administrative decision that requires disclosure of personal data will be recognized or enforced (except under international agreement). Where such a request is made to a controller, it must obtain prior authorization from the supervisory authority to transfer or disclose the data. The relevant data subjects must also be informed.
Data Protection Officers ("DPOs"). The controller and the processor must designate a DPO in cases in which processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period. This is a shift from the criterion of the number of employees (at least 250) suggested by the Commission. As a consequence, large companies with low data processing activities can be exempted, while small "Big Data" companies can be covered. DPOs are appointed for at least four years (in the case of employees) or two (in the case of external contractors).
This plenary vote means that the position of the EU Parliament will not change even if its membership changes as a result of the European elections in May 2014. However, in order for the Regulation to become law, it must also be adopted by the European Council, made up of all 28 EU Member States. Because the Council has not yet agreed upon a common position on the reform of data protection law, it is doubtful that the Regulation will be adopted this year.
Safe Harbor Suspension
On March 12, 2014, the European Parliament passed a resolution describing its findings and recommendations following a six-month investigation by the LIBE Committee into mass surveillance schemes carried out by the U.S. This resolution calls for the suspension of the U.S.-EU Safe Harbor Framework unless the U.S. satisfies the concerns of the EU Parliament. The EU Parliament further threatened to withhold its consent to the final Transatlantic Trade and Investment Partnership ("TTIP") deal with the U.S. The Safe Harbor scheme and TTIP are key elements promoting free data flows between the U.S. and EU.
Although the Parliament's resolution cannot invalidate the Safe Harbor Framework, it increases the political pressure on the EU Commission as it reconsiders the Safe Harbor Framework. In November 2013, the Commission issued 13 recommendations to improve the functioning of the Safe Harbor scheme, and it called upon U.S. authorities to identify remedies to perceived defects by summer 2014, at which time the Commission plans to review the Safe Harbor scheme generally.
While an immediate suspension of the Safe Harbor Framework seems unlikely, companies should closely monitor the developments and be prepared for heightened Safe Harbor requirements.