On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.
The LIBE draft includes thousands of amendments to the original draft issued by the European Commission in early 2012. Albrecht notes that the LIBE draft Regulation is intended to establish “high data protection standards” that will consistently be enforced across the EU. The draft Regulation would purportedly prevent companies from establishing their operations in countries “with weak data protection standards,” and EU data protection laws would apply “whenever the data of European residents is processed – whether within or outside of the EU.” In what follows, we summarize Albrecht’s 10 points.
- Transfers to Third Countries: As mentioned above, Albrecht states that the revelations about U.S. government surveillance prompted the inclusion of a provision that would generally prohibit companies from transferring data to governmental authorities in third countries. Such transfers would be permitted only if allowed under EU law or under an agreement based on EU law. The LIBE draft goes so far as to prohibit telecommunications and Internet companies from transferring personal data outside the EU for such purposes unless there is a concrete agreement allowing that processing.
- Access, Deletion, and Correction Rights: Individuals will have the right to request that “firms like Google, Facebook etc.” delete personal data on the Internet. Albrecht does not clarify whether size, industry group, services offered, or some other characteristic singles out firms like Google and Facebook. Whatever the means of identifying those firms, upon receiving a deletion request, they would have to pass along that request to any third parties to which they had sent the data. It is unclear whether this would apply to private individuals who republish public postings from social media or other platforms. Internet providers would be required to quickly disclose free of charge what personal data they process and provide that data to users in electronic form upon request. Albrecht states that the LIBE draft meaningfully balances freedom of expression and information with the protection of personal data, but offers no detail on how this will be done.
- Expanded Rights: The LIBE draft would require companies to inform individuals about whether data is retained longer than necessary for specific, identified purposes; whether personal data is collected beyond the minimum necessary; and whether information was provided to public authorities in the prior year.
- Strong Sanctions: Albrecht states that companies should face “tough sanctions” for severe cases of illegal data processing. Although it is not mentioned in the release, reports are that companies may be fined up to 5% of global turnover, as opposed to the EU Commission’s proposal to allow fines of up to 2% of turnover.
- Definition of “Personal Data”: In an attempt to address the privacy implications of Big Data, the LIBE draft will recognize “information that can be directly or indirectly linked to a person or used to single out a person from a larger group” as personal data. Albrecht calls for incentives to use pseudyonymized data sets that cannot be linked to other data.
- Consistency: The European Data Protection Board, which will be comprised of the European Data Protection Supervisor and data protection authorities from each of the EU Member States, will serve to ensure harmonious enforcement of the data protection laws. The Board will directly advise Member States and will coordinate the joint operations of data protection authorities.
- One-Stop Shop: The LIBE draft retains the one-stop-shop approach where companies will have to deal only with the data protection authority in the country of their main establishment. In the event that a company has no establishment in the EU or has no clear main establishment, the European Data Protection Board will determine the lead authority.
- Privacy by Default: Albrecht states that companies should minimize the collection of data and distribute products and services with the “most data protection-friendly” settings as the default. The release suggests that this would require an opt-in for any processing that is not necessary for the provision of a service.
- Data Protection Officers: The LIBE draft would look to the amount and type of data processed, rather than the size of the company, in determining whether the appointment of a data protection officer is necessary.
Most of the “highlights” noted in Albrecht’s release would create significant new burdens for companies. And noncompliance would risk fines of up to 5% of global turnover. Hogan Lovells will closely monitor the outcome of Monday’s scheduled vote and any subsequent negotiations among the Parliament, Council, and Commission.