Further to the vote that was conducted earlier this week in the European Parliament’s Civil Liberties Committee, concerning the revision of the Data Protection framework in Europe, we are pleased to be able to send you some headline analysis of the vote and the next steps which will be taken.
Following on from increased EU and external lobbying activities which have taken place at European Parliament level, many MEPs determined that they would vote with the proposed compromise amendments which had been tabled in conjunction with the rapporteur Jan Albrecht MEP. Observers have commented that these compromise amendments are quite far from some of the original more 'business friendly' amendments which had been tabled in the other various EU legislative committees - one theory behind this is the influence of the NSA scandal on the positioning of certain MEPs, who perhaps felt it necessary for the sake of consumers and their electorate to take a firmer stance on Data Protection policy.
The vote saw a block approval of the majority of pre-tabled compromise amendments, and a majority position approving the remainder of compromise positions.
At the end of the vote the Civil Liberties Committee was informed by Jan Albrecht MEP that they would vote to enter now into a trilogue negotiation with the Council (consisting of the 28 EU Member States) to find a common position - this will then form the final legal basis in Europe. It is however worth noting that the rapporteur made this commitment to enter into trilogue on the basis of a condition that whether the Council comes to a partial or no agreement at all on a common position with the Parliament, the vote will proceed in the Plenary before the end of the current Parliamentary term in May 2014.
Impact of the amended report as approved by the Civil Liberties Committee - the highlights
Data transfers to non-EU countries
According to the adopted text, if a third country requests a company (e.g. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request. This proposal is a response to the mass surveillance activities unveiled by the media in June 2013.
Companies breaking the rules would face fines of up to €100 million or up to 5 % of the annual worldwide turnover, whichever is greater (the Commission proposed penalties of up to €1 million or 2% of the global annual turnover).
Right to erasure
According to the Civil Liberties Committee, any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a "data controller" (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The "right to erasure" would cover the "right to be forgotten" as proposed by the Commission.
Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person's consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action. There are in addition amendments to the basis of using legitimate interests of the data subject as a base for processing.
The Civil Liberties Committee clarifies that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it.
MEPs set limits to profiling, a practice used to analyse or predict a person's performance at work, economic situation, location, health or behaviour. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, and certain data sets would be prohibited for use in a profiling situation, such as administrative sanctions and judgements and gender identifiers. This will impact those who use such identifiers for decision making and individual identification purposes - it will mean that bankruptcy or Court judgements cannot be used in a profiling or scoring decision model.
In many profiling situations there must be the possibility of manual intervention and a full explanation of how the decision making process has been determined - this has a drastic impact on credit and financial services decision making activities.
The European Parliament gave its support to the Commission's proposal to have a "one-stop-shop" for companies that operate in several EU countries and for consumers who want to complain against a company established in a country other than their own. This will mean that companies have one designated regulator in Europe - based upon the country of establishment for the company's main activities.
As previously mentioned the committee vote also sets Parliament's mandate to start negotiations with the Council. Inter-institutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. However, should a compromise position not be found, the Parliament has committed to bind its position via the plenary vote - rather than allow a natural compromise to be formed as this may take more time.
There will be limited time now to influence the final outcome - and as such strong, consistent and well substantiated messaging can only be encouraged.