EU Data Protection Regulation: Do you move data across borders? New EU amendments aim to give more individual control over personal info

more+
less-

The EU Parliament’s Civil Liberties Committee (LIBE) has approved a compromise set of amendments to the EU Data Protection Regulation that moves the Parliament’s position to the left.

Two earlier proposals, from the European Commission and the EU Council of Ministers, were rejected by the Committee.

It is thought that fallout from the NSA scandal was a strong factor affecting the direction of these amendments.

We are pleased to provide some headline analysis of the vote, which took place on October 21, including a look at the impact of the amendments on businesses that move data across border, and the likely next steps.

VOTE: INFLUENCED BY THE NSA SCANDAL?

In response to increased EU and external lobbying activities which have taken place at the European Parliament level, many MEPs decided they would vote for the proposed compromise amendments that arose from the work of rapporteur Jan Albrecht, member of European Parliament (MEP), member of the Greens/European Free Alliance and lead Rapporteur on the Commission’s draft Proposal for a General Data Protection Regulation as well as for the EU-US data protection framework agreement.

Observers have commented that these compromise amendments are quite far from some of the original, more business friendly amendments which had been tabled in other EU legislative committees. One theory behind this outcome notes the influence of the NSA scandal on the positioning of certain MEPs, who perhaps felt it necessary for the sake of consumers and their electorate to take a firmer stance on data protection policy.

The vote saw a block approval of the majority of pre-tabled compromise amendments, and a majority position approving the remainder of compromise positions.

At the end of the vote, MEP Albrecht informed the European Parliament LIBE Committee that they would vote to enter into a trilogue negotiation with the Council (consisting of the 28 EU member states) to find a common position.  This will then form the final legal basis in Europe. It is worth noting that the rapporteur made this commitment to enter into a trilogue on the basis of a condition: whether or not the Council comes to a partial agreement, or no agreement at all, on a common position with the Parliament, the vote will proceed in the Plenary before the end of the current Parliamentary term in May 2014.

HIGHLIGHTS OF THE AMENDED REPORT AS APPROVED BY LIBE

Data transfers to non-EU countries
 
According to the adopted text, if a third country requests a company (such as a search engine, social network or cloud provider) to disclose personal information processed in the EU, then the company would first have to seek authorization from the national data protection authority before transferring any data. The company would also have to inform the person whose data is involved of such a request.

This proposal is a response to the mass governmental surveillance activities unveiled in the media in June 2013.
 
Sanctions
 
Companies breaking the rules would face fines of up to €100 million or up to 5 percent of the annual worldwide turnover, whichever is greater.  The European Commission had proposed penalties of up to €1 million or 2 percent of the global annual turnover.
 
Right to erasure
 
According to the Civil Liberties Committee, any person would have the right to have his or her personal data erased if he or she requests it. To strengthen this right, if a person asks a "data controller" (such as an Internet company) to erase his or her data, then the firm should also forward the request to others where the data are replicated. The "right to erasure" would cover the "right to be forgotten" as proposed by the Commission.
 
Explicit consent
 
Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his or her consent at any time. A person's consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action. There are in addition amendments to the basis of using legitimate interests of the data subject as a base for processing.
 
LIBE clarified that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it.
 
Profiling

 
MEPs set limits to profiling, a practice used to analyze or predict a person's performance at work, economic situation, location, health or behavior. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, and certain data sets would be prohibited for use in a profiling situation, such as administrative sanctions and judgements and gender identifiers. This will impact those who use such identifiers for decision making and individual identification purposes - it will mean that bankruptcy or court judgements cannot be used in a profiling or scoring decision model.

In many profiling situations, there must be the possibility of manual intervention and a full explanation of how the decision making process has been determined - this has a drastic impact on credit and financial services decision making activities.

One-stop-shop – one designated regulator

The European Parliament gave its support to the Commission's proposal to have a "one-stop-shop" for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own. This will mean that companies have one designated regulator in Europe, based upon the country of establishment for the company's main activities.

NEXT STEPS

As previously mentioned, the committee vote also mandates the European Parliament to start negotiations with the Council. Inter-institutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. However, should a compromise position not be found, the European Parliament has committed to bind its position via the plenary vote - rather than allow a natural compromise to be formed, since this may take more time.

There will be limited time now to influence the final outcome - and as such strong, consistent and well substantiated messaging can only be encouraged.