5 November, 2013
On 21 October, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted on the Compromise Text of the upcoming European General Data Protection Regulation. After months of negotiations, the Compromise Text has been approved by LIBE. The committee vote also gave a mandate for negotiations with the European Council and the Commission in the so-called ‘trialogue’. The goal of a trialogue is to speed up the legislative process through informal negotiations behind closed doors. The idea of the trialogue was to ensure that the final vote on the Regulation could happen before the Parliamentary elections in May of 2014.
But just a few days later, the European Council decided to postpone its final decision on the Regulation until at least 2015. British premier Cameron and German Chancellor Merkel lobbied for postponement. They said they need more time to discuss the Committee’s proposal. This development in the Council makes the future of the Regulation and the proposed timeline most uncertain.
It is no longer likely that if a trialogue is to take place, this will be in 2015. The negotiators will seek agreement on a package of amendments acceptable to the Council and the European Parliament. The Commission’s endorsement is particularly important, in view of the fact that, if it opposes an amendment which the European Parliament wants to adopt, the Council will have to act unanimously to accept that amendment. Any agreement in trialogues is informal and “ad referendum” and will have to be approved by the formal procedures applicable within each of the three institutions.
After the trialogue, there will be a plenary vote in the European Parliament, followed by a Council vote. Then, the Regulation will be adopted. It will be directly applicable in the Member States two years after its adoption. It is thus likely that the new rules won’t apply until the end of 2017.
- Data transfers to non-EU countries: if a third country requests a company (e.g. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data. The company would also have to inform the person of such a request.
- Sanctions: Non-compliance with the General Data Protection Authority can now lead to fines of up to €100 million or up to 5% of the annual worldwide turnover, up from €1 million and 2% as was proposed by the European Commission. This is a huge increase in risk, especially considering the fact that these fines can be cumulated per offence or breach.
- Profiling: Under the Compromise Text, profiling will only be allowed if consent of the data subject is acquired, when provided by law or when needed to pursue a contract. Data subject have the right to object to being profiled, and profiling is not allowed if the result is based only on automated processes.
- Right to erasure: The ‘right to erasure’ covers the ‘right to be forgotten’ as proposed by the Commission. It concerns the right of any person to have their personal data erased if he or she requests it. If a person asks a data controller to erase his or her data, the controller should also forward the request to others where the data are replicated.
- Explicit consent: Where processing is based on consent, an organization or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person’s consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action.
Column by Bendert Zevenbergen, Internet Scientist @ Oxford Internet Institute and Academic Liaison...