Data Protection Newsflash from Mike Bradford, BIIA’s Expert Advisors on Privacy and Regulatory Affairs
Please find below a newsflash which summarizes the outcome of October 21, 2013 vote on the reform. The outcome is overall well balanced and follows our previous summaries, even though in certain respects eg the sanctions regime, it looks stricter than what was originally proposed by the Commission. It remains to be seen what the Member States will come up with during the trialogue negotiations.
Of particular interest to Regulatory Strategies clients is the change to the requirements for a mandatory data protection officer, either in-house or outsourced.
Data Protection officers will be mandatory for companies with more than 5000 client contacts per year. MEPs agreed that such a threshold would be more practice-driven than the number of staff of a company. The reporting and information requirements of an enterprise will depend on the actual risk in relation to the data processing.
A major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe, was voted by the Civil Liberties Committee last night. Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries. They also inserted an explicit consent requirement, a right to erasure, and bigger fines for firms that break the rules.
“The vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”, commented rapporteur for the general data protection regulation, Jan Philipp Albrecht (Greens/EFA, DE), after the vote.
“Parliament now has a clear mandate to start negotiations with EU governments. The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens’ interests and deliver an urgently-needed update of EU data protection rules without delay. EU leaders should give a clear signal to this end at this week’s summit”, he added.
“The protection of European citizens’ personal data remains a key issue for us. Member states and the Council must move fast now. It is their turn to act. The EU’s Heads of State and Government will have an excellent opportunity to show their decisiveness at the next meeting of the European Council in a few days. We are all waiting for this”, said rapporteur for the directive on the protection of personal data processed for law enforcement purposes, Dimitrios Droutsas (S&D, EL).
Right to erasure
According to the Civil Liberties Committee, any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a “data controller” (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission.
Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person’s consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action.
Civil Liberties Committee MEPs clarify that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it.
MEPs set limits to profiling. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure.
Companies breaking the rules would face fines of up to €100 million or up to 5% of annual worldwide turnover, whichever is greater (while the Commission proposed penalties of up to €1 million or 2% of worldwide annual turnover).
Data transfers to non-EU countries
According to the adopted text, if a third country requests a company (eg. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request. This proposal is a response to the mass surveillance activities unveiled by the media in June 2013.
Regulatory Strategies will continue to monitor developments and report on potential client impacts as the draft regulation progresses.
Regulatory Strategies Ltd
B’Berry: 44 (0) 7825 269 364
Fax: 44 (0) 115 933 3879
18 Queen Mary’s Close Upper Saxondale Radcliffe on Trent Nottinghamshire NG12 2NR UK
Registered Office: 14 London Road Newark Nottinghamshire NG24 1TW UK
Registered in England and Wales no. 6869459