On March 12, 2014, the European Parliament approved a data-protection reform bill that would, among other things, increase the maximum fine for violating the EU's data-protection laws to €100 million or 5 percent of the violator's global annual turnover. The new reform is part of an effort to replace the existing and outdated EU Data Protection Directive, adopted in 1995, with the more modern and currently pending General Data Protection Regulation (GDPR).
While the GPDR is still subject to negotiations between the EU Council, the European Parliament and the European Commission, companies should take note of some significant changes that will occur if the GDPR becomes law. For example, prior to releasing an EU citizen's personal information to another country, a search engine, social-networking site or cloud-storage provider must obtain permission from a national data-protection authority in the EU and notify the individual who is the subject of the request.
Other important reform measures include —
Requiring companies to erase an individual's data upon his or her request;
Compelling companies to notify authorities of a data breach within 72 hours or as soon as it is feasible to do so;
Setting limits on a company’s ability to profile users of its services; and
Requiring Internet service providers to obtain an individual's explicit consent prior to processing his or her personal information.
A few aspects of the GDPR are still hotly contested among EU lawmakers. For example, Parliament is asking for much harsher fines in its draft of the GDPR than the €1 million or 2 percent of global annual turnover that the European Commission is seeking in its version. In addition, the EU Council has also failed to commit to a "one-stop shop" provision that would permit multinational companies to deal with a single EU Data Protection Authority.
In order for the GDPR to become law, three government bodies of the EU must formally adopt it: (1) the European Parliament; (2) the European Commission; and (3) the EU Member State representatives that make up the EU Council. Assuming the GDPR does not get bogged down in negotiations, lawmakers believe they will be able to agree on a final draft of the law before the end of the year.