After lengthy discussions, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) agreed this Monday (22 October 2013) on a compromise text of the draft General Data Protection Regulation (“GDPR”). The proposal still has a mountain to climb as opinions between the different EU institutions remain deeply divided. However, Monday’s vote is significant as it gives the European Parliament (“EP”) a mandate to start the next phase of negotiations with Member States.
The GDPR was published by the European Commission 21 months ago in January 2012 and has proved to be one of the most controversial proposals ever to come out of Brussels, with lobbyists proposing over 4000 amendments to the Commission’s text.
The compromise text was adopted by the LIBE Committee on a 49-1 vote with three abstentions. The EP’s press release is here and includes some radical proposed changes to the Commission’s draft.
Datonomy has taken a look at some of the key proposed changes which include the following:
- Territorial Scope: Under the draft GDPR, the Regulation applies to all processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union” and to the activities of controllers not established in the Union where the processing activities relate to offering goods or services to data subjects in the in the EU or the monitoring of their behaviour. The EP’s compromise text seeks to add to the reach of this provision in two ways: it adds the passage “whether the processing takes place in the Union or not”, and makes clear that the targeting of EU citizens is caught even where no payment is required for the goods / services offered. With this amendment, the Parliament tries to cover in particular data processing activities that take place in a cloud and/or overseas.
- Fines: The Parliament harmonized the fines for a violation of the GDPR. According to the Commission’s draft, such fines could amount to between 0.5% of an enterprise’s annual worldwide turnover or EUR 250,000 and 2% of an enterprise’s annual worldwide turnover or EUR 1,000,000, depending on the provisions breached. The compromise text harmonizes those categories and increases the maximum fines for GDPR breaches up to 5% of an enterprise’s annual worldwide turnover or up to EUR 100,000,000 – whichever is greater.
- Right to be forgotten and erasure: The controversial right to be forgotten is endorsed, and reinforced with an obligation on data controllers to take all reasonable steps to have that data erased by third parties. A right to have data erased following a court order is also added.
- One-stop-shop: The compromise text confirms the one-stop-shop principle of the GDPR which provides that only the data protection authority of the country in which the business is located is competent for supervising such businesses’ data protection activities. On the other hand, data subjects have the right to lodge a complaint with a supervisory authority in any Member State if they consider the processing of their personal data is not in compliance with the GDPR.
- Certification: According to the compromise text, controllers and processors within and outside the EU may ask any supervisory authority within the EU to certify that their processing of personal data complies with the GDPR. If this is the case they will be granted a “European Data Protection Seal” which allows for data transfers between businesses with such a seal even if one of them is based in a country that does not have an adequate level of data protection.
- Data protection officer: The compromise text changes the requirements for appointing a data protection officer (“DPO”). While the draft GDPR required a DPO if an enterprise has 250 or more employees that carry out processing of personal data, the compromise text only relates to the number of data subjects concerned and requires the appointment of a DPO if personal data of more than 5,000 data subjects are processed in any consecutive 12-month period. Furthermore, the compromise text requires a DPO where the core activities of the controller or processor consist of the processing of sensitive personal data, location data or data on children or employees in large scale filing systems.
- Breach notification: Good news is that the compromise text widens the time frame in which a personal data breach must be reported to the supervisory authority from 24 hours to a reporting that takes place “without undue delay”.
Procedure and what is next
The LIBE Committee’s vote gives lead Rapporteur Jan Phillipp Albrecht a mandate for negotiations with the Council in order to reach a common agreement on the final wording of the GDPR which negotiations shall preferably be concluded prior to EU Parliament elections in May 2014. The next meeting of the Council’s Justice Ministers on the data protection reform will take place on 6 December 2013. And an indicative plenary sitting of the Parliament is scheduled for 11 March 2014.
It is expected that during the inter-institutional negotiations, the compromise text will be further amended as certain aspects in the current version seem too radical to be supported by the Council (e.g., fines will probably be one of the parameters to become adjusted).
Accordingly, despite the LIBE Committee’s vote, there is still a long way to go before the new GDPR will formally be adopted, and it remains to be seen what the final detail of the reforms will look like, and whether the Commission will achieve its aim of getting the measure adopted at EU level before the European elections in the Spring. Datonomy will continue to monitor the progress and keep its readers updated on the future development of data protection in Europe.