New EU Data Protection Regulation – Do you move data across borders? Read this post.

As also reported yesterday by our colleagues Emma Thomas and Jim Halpert, last October, 21 the EU Parliament’s Civil Liberties Committee (LIBE) has approved a compromise set of amendments to the EU Data Protection Regulation.

Two earlier proposals, from the European Commission and the EU Council of Ministers, were rejected by the Committee but probably the NSA scandal was a strong factor affecting the direction of these amendments.

Which are the main points?

Data transfers to non-EU countries: new regime of authorization when a third country requests a company (e.g. social networks) to disclose personal data information processed in EU.

Sanctions: fines increase up to €100 million or up to 5 percent of the annual worldwide turnover, whichever is greater. It should be noted that the European Commission proposed penalties up to €1 million or 2 percent of the global annual turnover.

Right to erasure: the “right to erasure” is a broader category and would cover the “right to be forgotten” as proposed by the Commission.

Explicit consent: LIBE clarified that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it.

Profiling: profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, and certain data sets would be prohibited for use in a profiling situation, such as administrative sanctions and judgements and gender identifiers. This will impact those who use such identifiers for decision making and individual identification purposes – it will mean that bankruptcy or court judgements cannot be used in a profiling or scoring decision model. In many profiling situations, there must be the possibility of manual intervention and a full explanation of how the decision making process was determined – this will have a drastic impact on credit and financial services decision making activities.

One-stop-shop – one designated regulator: companies that operate in several EU countries will have one designated regulator in Europe, based upon the country of establishment for the company’s main activities. This is relevant for consumers who want to complain against a company established in a country other than their own.