LIBE Committee’s Vote: EU Data Protection Regulation Takes Second Base
→ Günther Leissler
→ Mirena Taskova
The EU Data Protection Regulation is in its second round. Having been rejected by the European Parliament earlier this year, Viviane Reding’s ambition of replacing the member states’ data protection laws by one single EU wide regulation has arrived at second base.
On 22 October 2013 the LIBE Committee of the European Parliament (Committee for Civil Liberties, Justice and Home Affairs) backed an amended version of the EU Data Protection Regulation (Regulation). This vote was deemed a ”strong signal for Europe” by Vice-President Viviane Reding, the EU’s Justice Commissioner and key promoter of the Regulation.
But why was there a need for a re-draft? In June 2013 the European Parliament rejected the initial draft of the Data Protection Regulation because it felt there was a need for substantial improvement. With this the European Parliament followed multiple requests for changes placed not only by the member states but also by companies from various industries, by NGOs, and by individuals. Although most of these (more than 4,000) requests had been labelled “lobbying” by the media, there was never any doubt that the original version of the Data Protection Regulation had clear room for improvement. As a result the draft Regulation was re-drafted and finally presented to (and backed by) the LIBE Committee on 22 October. What follows is a short overview of the most material changes.
Pseudonymised data favoured
Similar to the original draft, the new version of the Regulation allows the processing of personal data only on valid legal grounds, such as consent, statutory provisions, or if required for the performance of a contract. However, the re-drafted version of the Regulation further accepts the processing of personal data upon overriding legitimate controller interests if this meets the “reasonable expectations” of the data subject based on his / her relationship with the controller. In the respective recitals it is stated that, as a general rule, the processing of pseudonymised data should be presumed to meet the reasonable expectations of the data subject. In other words, the re-drafted version of the Regulation only allows personal data processing upon overriding legitimate controller interests if a data subject can reasonably expect that his / her data will be processed on a personalised basis. With this, the re-drafted version of the Regulation principally favours the processing of pseudonymised data.
More elaborate mechanisms and procedures
The re-drafted Regulation now provides for more elaborated mechanisms and procedures for data subjects to efficiently exercise their rights of data access, rectification, and erasure. Among other adaptations, the re-drafted version requires data controllers to provide remote access to allow data subjects to directly access their data at the data controller. Also the re-drafted Regulation asks data controllers to comprehensively inform data subjects about the company’s data processing by providing a set of particulars in terms of pre-defined icons. These icons should give (standardised) information about how and to what extent the data controller processes the data subjects’ data and, with this, should provide easy understandable information about the company’s data processing.
Reasonable steps to have data erased
The “right to be forgotten” was replaced by an obligation for data controllers to take all reasonable steps to have data erased, including by third parties, where this data was made public without justification. Further, the re-drafted version of the Regulation harshly limits data processing for the purpose of “profiling” in terms of analysing or evaluating a person, the person’s performance, or behaviour.
Another significant aspect of the new Data Protection Regulation is its upholding of the “one stop shop” principle by claiming that companies with establishments in several member states only have to deal with the DP regulatory authority located in the country of the company’s “main establishment”. The Regulation defines “main establishment” as where the main decisions of the company’s data processing are taken. As regards HR data this will typically be the location of the employer. With respect to customer data it will have to be distinguished: Local customer data administration will most likely trigger the local DP regulator’s jurisdiction whereas centralised and corporate-wide customer data administration might fall within the competency of the DP regulator located at the corporate headquarters. However, the details of how this concept should be handled in practice are still open.
Maybe the most significant amendment is the proposed increase of fines for non-compliance with the Regulation (up to EUR 100,000,000 or up to 5% of the annual worldwide turnover of the company). Regulators might also impose warnings in writing in cases of first and non-intentional non-compliance, and they can initiate regular and periodic data protection audits. It should be noted, however, that the Regulation gives relief to companies holding a “European Data Protection Seal” since in this case fines may only be imposed in cases of intentional or negligent noncompliance.
The re-drafted Regulation causes specific concern to Safe Harbour certified companies. Principally the safe harbour regime should stay in place for a transitional five-year period. However, most recently the European Parliament considered the suspension of Safe Harbour putting US companies at risk of being deprived of their legal basis for data transfers from Europe to the US much sooner than expected.
The European Commission aims at getting the Regulation in force by May 2014 (the date of the European Parliamentary elections). However, even the re-drafted Regulation still has significantly room for improvement. Maybe the motto for a more sustainable revision of the new Data Protection Regulation could be, “slow and steady wins the race.”