LIBE: Stronger safeguards and higher fines in General Data Protecion Regulation

Back to articles

22 October, 2013

Yesterday, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted on the Compromise Text of the upcoming European General Data Protection Regulation. After months of negotiations, the Compromise Text has been approved by LIBE. The committee vote also set out a mandate for Parliament to start negotiations on the text with national governments in the European Council.

Mass surveillance cases, such as the PRISM case, seem to have influenced the stance of MEPs on protecting the privacy of European citizens, resulting in stronger safeguards for data transfers to non-EU countries, the requirement of explicit consent and higher fines. Although the Compromise Text has not been published (yet), some details of certain provisions were made public.

– Data transfers to non-EU countries: if a third country requests a company (eg. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request. 

– Sanctions: Non-compliance with the General Data Protection Authority can now lead to fines of up to €100 million or up to 5% of the annual worldwide turnover, up from €1 million and 2% as was proposed by the European Commission. This is a huge increase in risk, especially considering the fact that these fines can be cumulated per offence or breach.

– Profling: Under the Compromise Text, profiling will only be allowed if consent of the data subject is acquired, when provided by law or when needed to pursue a contract. Data subject have the right to object to being profiled, and profiling is not allowed if the result is based only on automated processes.

The negotiations mandate was adopted by 52 votes to 1, with 3 abstentions. However, the General Data Protection Regulation won’t be there until at least 2015. It was intended that the European Parliament would vote for the Regulation before the European elections in May 2014, but British premier Cameron and German Chancellor Merkel asked for postponement. They say they need more time to discuss the Committee’s proposal.

In 2015, there will be a trialogue: an informal meeting attended by representatives of the European Parliament, Council and Commission. The purpose of these contacts is to get agreement on a package of amendments acceptable to the Council and the European Parliament. The Commission’s endorsement is particularly important, in view of the fact that, if it opposes an amendment which the European Parliament wants to adopt, the Council will have to act unanimously to accept that amendment. Any agreement in trialogues is informal and “ad referendum” and will have to be approved by the formal procedures applicable within each of the three institutions.

After the trialogue, there will be a plenary vote in the European Parliament, followed by a Counsil vote. Then, the Regulation will be adopted. It will be applicable in 2017 at earliest.

Considerati has drafted a schematic overview of the regulatory process of the GDPR. Click on the image to view it in full size.

PastedGraphic-5

Source: European Parliament 

Considerati20150514_-Nathalie0003
Nathalie Falot

Senior Legal Consultant

Related blogs

Is it okay for Facebook to almost imperceptibly alter its privacy policy?

Recently, Facebook announced that it will be changing its privacy policy. Many users, however, are...

Read more

Technology Ethics | Considerati

AI Policy: Making Sense of Science

People enjoy a space of personal freedom, partly because powerful State and private actors do not...

Read more

Like to be emailed about Considerati news?

Then subscribe to the Considerati Newsletter! See our privacy statement.