European Union Manifests Broad Support for Data Protection Reform; Future Changes in Law Now Irreversible
March 12, 2014
The European Parliament today cemented the strong support previously given at committee level to the European Commission's data protection reform by voting in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive). The reports of MEPs Jan-Philipp Albrecht and Dimitrios Droutsas, on which members of the European Parliament voted, are a strong endorsement of the Commission's data protection reform and an important signal of progress in the legislative procedure. The data protection reform will ensure more effective control of people over their personal data, and make it easier for businesses to operate and innovate in the EU's Single Market. Wall Street Journal summary available here:
The European Parliament gave its strong backing to the architecture and the fundamental principles of the Commission's data protection reform proposals, on both the General Data Protection Regulation and on the Data Protection Directive in the law enforcement context.
- On 4 March 2014 Ministers in the Council discussed the data protection reform, focusing on its territorial scope and on aspects relating to international transfers. Ministers broadly supported the principle that non-European companies when offering goods and services to European consumers, will have to apply the EU data protection law in full. The next meeting of Justice Ministers on the data protection reform will take place in June 2014.
- Today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.
- To become law the proposed Regulation has to be adopted by the Council of Ministers using the "ordinary legislative procedure" (co-decision).
On 25 January 2012, the Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online data protection rights and boost Europe’s digital economy (see IP/12/46). The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive, bringing them into the digital age and building on the high level of data protection which has been in place in Europe since 1995.
What will the data protection reform do for economic growth?
Data is the currency of today's digital economy. Collected, analysed and moved across the globe, personal data has acquired enormous economic significance. According to some estimates, the value of European citizens' personal data has the potential to grow to nearly €1 trillion annually by 2020. Strengthening Europe’s high standards of data protection is a business opportunity.
The European Commission's data protection reform will help the digital single market realise this potential, notably through three main innovations:
- One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
- One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
- The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than their competitors established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. European regulators will be equipped with strong powers to enforce this: data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover. European companies with strong procedures for protecting personal data will have a competitive advantage on a global scale at a time when the issue is becoming increasingly sensitive.
What will the data protection reform do for citizens?
The data protection reform will strengthen citizens' rights and thereby help restore trust. Better data protection rules mean you can be more confident about how your personal data is treated, particularly online. The new rules will put citizens back in control of their data, notably through:
- A right to be forgotten: When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press.
- Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers.
- Putting you in control: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organisations will also need to inform you without undue delay about data breaches that could adversely affect you.
- Data protection first, not an afterthought: ‘Privacy by design’ and ‘privacy by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks.
What does the reform do for SMEs?
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, especially for small and medium enterprises (SMEs). First, by having one rule instead of 28 the EU's data protection reform will help SMEs break into new markets. Second, the Commission has proposed to exempt small and medium enterprises (SMEs) from several provisions of the Data Protection Regulation – whereas today's 1995 Data Protection Directive applies to all European companies, regardless of their size.
Under the new rules, SMEs will benefit from four reductions in red tape:
- Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
- No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of 130 million euro every year. The reform will scrap these entirely.
- Every penny counts: Where requests to access data are excessive or repetitive, SMEs will be able to charge a fee for providing access.
- Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.
The rules will also be flexible. The EU rules will adequately and correctly take into account risk. The Commission wants to make sure that obligations are not imposed except where they are necessary to protect personal data: the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed. For example, SMEs will not be fined for a first and non-intentional breach of the rules.
Do not hesitate to contact us should you have any questions.
INTERNATIONAL COMPLIANCE SERVICES
In partnership with The CommLaw Group, Erik De Herdt and Aztec Consult (a global information technology legal & regulatory consultancy) provide U.S. and multi-national enterprise clients with international market entry, licensure and regulatory/legal compliance advisory counsel. Erik is counsel and managing partner of Aztec Consult, located in Brussels, Belgium. He possesses over 12 years experience in virtually all aspects of international communications & technology law and regulation serving executive officers and cross functional teams in cloud communication providers, telecom operators, technology enterprises and information service providers.
For more information regarding European Union and other international regulations affecting telecommunications and electronic communications services, please contact Jonathan S. Marashlian at email@example.com or Erik De Herdt at firstname.lastname@example.org.