Review of the EU’s data protection regulation proposal

Under E.U. law, personal data can only be gathered under strict conditions. Those who collect and manage personal information are bound by a duty to protect it from misuse and to respect certain rights of the data owners.

The EU Data Protection Directive of 1995 (Directive 95/46/EC) established specific rules for the transfer of personal data, both inside and outside the EU.[1] However, since the draft of the 1995 rules, a vast range of technological developments have seen the light. It is now commonly recognized that the current data protection principles are in need of an urgent update. Also, differences in implementation of the rules in the EU member states have given rise to complex situations, in particular for companies that are active in more than one EU member state. In our globalized economy, drafting different company policies to respond to different legal situations in each of the EU member states is hardly an adequate solution for companies or organizations (this also goes against the spirit of the EU single market).  

New EU Data Protection Regulation Proposal

To counter such criticism, the European Commission, in January 2012, proposed a major reform of the EU data protection rules. The new rules are intended to strengthen individual rights and at the same time boost Europe’s digital economy. In the meantime, the Commission’s proposal has been put to a vote in the EU Parliament’s LIBE Committee (Parliamentary Committee on Civil Liberties, Justice and Home affairs). Close to 4,000 amendments were introduced by lobby groups to soften the impact of the new rules. In the end, many of these amendments were rejected. In fact, the LIBE Committee strengthened the privacy protection provisions of the Commission’s initial draft in several ways.

Below are some of the major changes in the reform proposal:

• A single set of rules on data protection, valid across the EU. The new “Data Protection Regulation” will establish a single, pan-European law for data protection, replacing the current patchwork of national laws. In short, 1 privacy law instead of 28 privacy laws should make life easier for both individuals and companies.

• One-stop-shop: Organizations will deal with one single national data protection authority in the EU country where they have their main establishment (they will no longer have to deal with 28 different authorities). Likewise, people will be able to call upon the data protection authority of their own country to file a complaint, even when the company that processes their data is based in another EU country or outside the EU.

• People will have easier access to their own data and be able to transfer personal data more easily from one service provider to another (right to data portability).

• A “right to be forgotten”: people will be able to request the deletion of their data if there are no legitimate grounds for retaining it. However, under the Commission’s proposal, the right to be forgotten is not an absolute right (for instance, it should not encroach on the freedom of expression).

• If consent is required to process data, this consent has to be given explicitly, rather than be assumed.

• EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens (creating a level playing field for EU and non-EU companies).

• Independent national data protection authorities will be strengthened so that they can better enforce the EU rules. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to 100 million Euros or up to 5% of the global annual turnover of a company (in the Commission’s initial proposal, the fines were limited to 1 million Euros or 2% of the global annual turnover of a company; the LIBE Committee wanted to make a clear point on the importance of data protection by increasing the maximum amounts).

• The EU Commission has proposed to exempt small and medium enterprises (SMEs) from several provisions of the Data Protection Regulation. For instance, in the Commission's proposal, SMEs will not have to appoint a "data protection officer" if data processing is not their core business activity or if the company employs less than 250 employees; SMEs will be able to charge a fee for providing access if requests to access data are excessive or repetitive; SMEs will not be fined for a first and unintentional breach of the rules; etc.  In the latest draft of the proposal (version of the LIBE Committee), many of these exemptions are gone: for instance, the exemption to appoint a data protection officer if the company employs less than 250 employees no longer forms part of the proposal. Instead, the current proposal (article 35) mentions that a data protection officer should be appointed in any case where the processing is carried out by a legal person and relates to more than 5000 data subjects in any consecutive 12 month period. 

It remains to be seen whether the amendments by the LIBE Committee will all survive the next rounds of negotiations.

Current Status of the EU Data Protection Regulation Negotiations

In October 2013, the EU heads of state and government committed to a “timely” adoption of new EU data protection rules (which hardly seems like a very strong support, especially in light of the latest leaks in the Snowden affair). It is commonly expected that the new data protection regulation will not be put to a vote at the EU Parliament’s plenary session before the elections of May 2014. After the elections, new negotiations will start between the (new) EU Parliament, the (new) EU Commission and the Council of Ministers. Lawmakers now believe that a final version of the data protection regulation is to be expected somewhere in 2015.

Today, almost two years after the EU Commission first put its proposal on the table, there is still no agreement on some of the basic principles of the new EU data protection rules. For instance, there is still no compromise on the one-stop shop principle. Under this principle, companies operating in several EU countries will have to deal with one major data protection authority (the one of the country of their main establishment), whereas individuals will be able to file their complaints with their own national data protection authorities (or their national courts). As such, a Belgian citizen will be able to go to his or her local data protection authority in Belgium, instead of having to file a claim in the country where the company processing the data is established (for instance, Ireland). One can only hope that, once accepted, the one-stop shop principle will not result in a situation where some national data protection commissions are more relaxed in supervising companies than commissioners in other countries. For instance, the current Irish data protection commission is not the most stringent in enforcing data protection rules – one can only hope that they will get the means to effectively monitor data protection compliance by the many IT companies based in Ireland.

Although this is one of the so-called “meat and potatoes” parts of the Commission’s data protection reform proposal, it yet remains to be seen if and to what extent it will be turned into law. One can only hope that the European Council will soon reach a workable compromise for this and other central pieces of the proposed data protection regulation. In any case, it is clear that the current rules urgently need to catch up with new (and no longer so new) technological developments, so major delays in the lawmaking are to be avoided.

We need to ensure that all EU citizens benefit from an adequate level of protection of their personal data, and that companies and organizations can rely on clear and simple rules that they can implement for their entire business across the EU. 

Do not hesitate to contact me should you have any question regarding data protection or privacy rules in the European Union or in Belgium.

Author: Bart Van Besien

Finnian & Columba

Belgium

bart@finnian.be

Lawyer – attorney

Media law (incl. privacy / data protection)

Intellectual Property law