22 October, 2013
Yesterday, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted on the Compromise Text of the upcoming European General Data Protection Regulation. After months of negotiations, the Compromise Text has been approved by LIBE. The committee vote also set out a mandate for Parliament to start negotiations on the text with national governments in the European Council.
Mass surveillance cases, such as the PRISM case, seem to have influenced the stance of MEPs on protecting the privacy of European citizens, resulting in stronger safeguards for data transfers to non-EU countries, the requirement of explicit consent and higher fines. Although the Compromise Text has not been published (yet), some details of certain provisions were made public.
– Data transfers to non-EU countries: if a third country requests a company (eg. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request.
– Sanctions: Non-compliance with the General Data Protection Authority can now lead to fines of up to €100 million or up to 5% of the annual worldwide turnover, up from €1 million and 2% as was proposed by the European Commission. This is a huge increase in risk, especially considering the fact that these fines can be cumulated per offence or breach.
– Profling: Under the Compromise Text, profiling will only be allowed if consent of the data subject is acquired, when provided by law or when needed to pursue a contract. Data subject have the right to object to being profiled, and profiling is not allowed if the result is based only on automated processes.
The negotiations mandate was adopted by 52 votes to 1, with 3 abstentions. However, the General Data Protection Regulation won’t be there until at least 2015. It was intended that the European Parliament would vote for the Regulation before the European elections in May 2014, but British premier Cameron and German Chancellor Merkel asked for postponement. They say they need more time to discuss the Committee’s proposal.
In 2015, there will be a trialogue: an informal meeting attended by representatives of the European Parliament, Council and Commission. The purpose of these contacts is to get agreement on a package of amendments acceptable to the Council and the European Parliament. The Commission’s endorsement is particularly important, in view of the fact that, if it opposes an amendment which the European Parliament wants to adopt, the Council will have to act unanimously to accept that amendment. Any agreement in trialogues is informal and “ad referendum” and will have to be approved by the formal procedures applicable within each of the three institutions.
After the trialogue, there will be a plenary vote in the European Parliament, followed by a Counsil vote. Then, the Regulation will be adopted. It will be applicable in 2017 at earliest.
Considerati has drafted a schematic overview of the regulatory process of the GDPR. Click on the image to view it in full size.
Source: European Parliament
Senior Legal Consultant