The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
The report contains significant amendments compared with the original draft prepared by the European Commission in January 2012. In the same time, the currently adopted version did not include or softened down a number of very strict provisions written into the very first draft report published by LIBE’s rapporteur, Jan Philipp Albrecht, in December 2012. The following changes to the previous drafts are of particular note:
- The Parliament’s draft proposes that sanctions could be as high as €100,000,000 or 5% of annual global turnover (whichever is the greater), compared with the Commission’s proposal of €1,000,000 or 2% of annual global turnover.
- Compliance programs and accountability will be taken into account when applying sanctions;
- Sanctions can include the obligation to perform periodic audits;
- The conditions for consent have been tightened up. In particular, consent cannot be tied to a contract;
- “Legitimate interest” remains in the regulation as a valid basis for most kinds of processing (except for sensitive data and profiling);
- Data portability stays in the regulation, but it is merged with the article on right of access;
- The “right to be forgotten” is relabelled “right to erasure,” but its provisions are for the most part unchanged;
- The rules on jurisdiction are essentially unchanged from the Commission’s draft. A data controller located outside the European Union will be subject to the regulation if the data controller “offers goods or services” to data subjects in the EU, or “monitors” them;
- The one-stop shop mechanism is maintained, except that consumers may always complain to their local DPA, instead of being obligated to go to the main DPA responsible for the controller’s activities;
- A data protection officer would be obligatory for any company processing personal data relating to 5,000 data subjects or more during any consecutive 12-month period;
- Data breaches would have to be reported “without undue delay,” with a presumption that 72 hours is “without undue delay”;
- A data protection risk analysis would become obligatory for any processing involving more than 5,000 data subjects during any consecutive 12-month period, or any other kind of risky processing;
- Extensive new provisions have been inserted on data processing in the employment context;
- Transfer of personal data to countries outside the EEA is made more difficult, particularly if a proposed transfer is in response to a request from a court or an administrative authority of a third country. A firm would first have to get permission from the local DPA. This amendment is a response to the concerns triggered by the Snowden disclosures on NSA surveillance; and
- Data controllers must use standardized symbols to tell consumers how their data is handled:
The vote now permits the Parliament to proceed to the trialogue negotiation with the Council and Commission once the Council has reached an agreed position. Previously the high number of amendments (approximately 4,000) proposed by the Parliament to the legislation had given rise to concerns that the Regulation would not be passed before the next European elections. Now that the European Parliament has made its position known, pressure will shift to the Member State governments to reach agreement on a position within the European Council. Once a common position is reached, negotiations can begin with the European Parliament and Commission.
We will follow up with a detailed analysis of the new draft provisions.