Mike Bradford (Regulatory Strategies), our expert on Privacy and Data Protection, is keeping us up to date on what’s happening re the EU DP Regulation within the European Commission. Some interesting points and as you will see, there is still a lack of consensus among Member States. These developments are also highly relevant for our non-European members because regulators elsewhere are watching with keen interest.
Here are Mike’s most recent comments: “On 21 March, the European Parliament’s Legal Affairs (JURI) Committee voted on its opinion on the data protection draft proposal. It was the fourth and last Committee to adopt non-binding opinions before the LIBE Committee votes on its report as the lead committee, most likely at the end of May. Commenting the outcome of the vote, MEP Marielle Gallo leading the discussion in the JURI Committee said: “Today’s vote leaves no room for ambiguity: we are in favour of high protection levels for citizens’ privacy”.
“In this important dossier for European citizens and enterprises, the Legal Affairs Committee has laid the foundations for a wider political agreement between the different political groups within the Parliament. It is a shame that some Members persist to refuse any reasonable compromise”, added Marielle Gallo.
MEPs on the Committee voted in favour of an extended definition of personal data, for explicit consent to be given by citizens to authorise the use of their data, incentives to encrypt data and finally, significant financial penalties that could reach up to one million Euros, or 2% of their world revenue, to sanction companies that do not respect the rules.
Additionally, it has been clarified that profiling is forbidden if considered discriminatory, in other words if based on ethnic, religious or sexual orientation criteria.
The LIBE Committee, which is the lead committee, also discussed the 3133 amendments tabled to the general EU’s data protection law. MEPs from the Christian Democrat political group (EPP) agreed on the absolute need to adapt European data protection rules to the age of cloud computing and social networks avoiding the risk of increased bureaucracy, which will massively slow down innovation and entrepreneurial activities.
Most criticism has been expressed regarding the amendments tabled by Socialists on the compulsory Data Protection Officer which would mean that companies which store data of more than 250 persons – regardless of their own size – to keep records of every single data handling event related to that data. Furthermore, they called for the establishment of a new control authority to certify companies handling less than 500 data subjects per year.
The EPP Group criticises the Socialist proposals as being absurd and non-practicable which would generate additional red tape, especially for SMEs who will suffer extra burden, including the appointment of the DPO if they store somewhere more than 250 addresses.
In parallel to the parliamentary debate, the Irish Presidency is giving a strong push to the debate although the plan to reach a political compromise under its Presidency is becoming more and more ambitious as the vote at the Parliament is not likely to happen in April as originally foreseen but most likely on 29 May.
Moreover, disagreement between the two Institutions still remains over a number of issues. Many of the EU’s Member States called for a softer approach to the one emerging from the corridors of the Parliament.
The proposal is likely to be softened after at least nine countries – including the UK, Germany, Sweden and Belgium – said they were opposed to several proposed measures that could add heavy burdens on businesses, favouring instead a so-called “risk-based” approach of regulation, which aims to deal with cases where there is a substantial threat to a person’s data or privacy, exempting small companies from suffering the burdens of data protection rules.
Some Member States, such as the UK, are pushing to make the designation of the DPO an optional requirement, a matter not all countries agree on. At the same time, Germany and Belgium are pushing for the easing of rules related to the use of data by public institutions, such as the tax authority, while other Member States call for easing of the overly strict and severe sanctioning system.
However, as there are enough Member States to block the entire proposal unless Parliament and the Commission make some compromises, key opportunities remain for businesses to raise concerns and engage with MEPs and Member States’ representatives in the coming weeks.
Regulatory Strategies will incorporate an update in their next Newsletter covering this month’s developments for subscribing clients.
Mike Bradford
Director
Regulatory Strategies Ltd
www.regulatorystrategies.co.uk
Mike’s other recent updates can be found on: https://www.biia.com/category/regulatory-news
