Who: European Parliament
When: 12 March 2014
Where: Brussels
Law stated as at: 4 April 2014
What happened:
The European Parliament voted (621 in favour, 10 against) to support proposals for a new Data Protection Regulation” Parliament proposal”. The MEPS voted in support of the version of the Regulation proposed by the European Parliament’s Civil Liberties Justice and Home Affairs Committee (LIBE) in October 2013 report and prepared by MEP Jan Philipp Albrecht. A vote was also held to have a new EU Directive to cover enforcement bodies. 371 voted to support this new Directive and 276 were opposed.
Some Key Proposals of concern
Fines (Article 79)
Fines of up to 5% of annual global turnover or 1 Million Euros if greater. Under the original Commission Proposal in January 2012 fines were “only” 2% of annual worldwide turnover for an enterprise and up to 1 million Euros for other entities and there was no discretion given to the supervisory authority other than to impose a fine.
Under the Parliament Proposal the supervisory authority will have some discretion and will be required to impose at least one of three potential sanctions being-1) a warning for first or non-intentional breach; 2) regular periodic audits or; 3) a fine of up to 1 Million Euros or up to 5% of annual worldwide turnover for an enterprise, whichever is the greater. This is helpful in giving some discretion to regulators but clearly the level of fines is significant particularly for enterprises when the 5% rule applies.
Territorial Scope (Article 39)
Increasingly the EU has been seeking to extend the application of EU privacy requirements to non-EU entities which are processing data about Europeans when offering services to European consumers.
The European Commission state in their press release on 12th March 2014 that “if companies outside Europe want to take advantage of European market with more than 500 million potential customers, then they have to play by European rules”. Under the Parliament Proposal the Regulation would apply to non EU entities offering goods or services to individuals in the EU, whether or not payment is required, or where there is monitoring of these EU individuals (Article 39). If finally adopted this will have very wide scope and could again mean that potentially the use of “cookies” if construed as monitoring would mean that organisations are caught by EU requirements.
Right to be forgotten – Now known as the right to erasure (Article 17)
An individual will have the right to have their personal data erased if they request it subject to certain exceptions. The Controller would then also be legally obliged to forward that request to other third parties where the data may be replicated. This is of particular concern for digital firms such as search engines, social networks and cloud providers.
One Stop Shop (Article 54a)
Although the proposal for a one stop shop has been supported by the Parliament the Parliament proposal is more limited in scope and states that the supervisory authority of the main establishment for an organisation shall act as the lead authority while the original version stated that the authority would be the “competent” authority. In theory if there is a Regulation and maximum harmonisation this should be less of an issue but in reality it seems likely that even with the Regulation there will still be scope for local variation and interpretation e.g. with sanctions, so this is likely to be a key area to be clarified.
What happens next?
The Council of Ministers (Justice and Home Affairs Ministers) has still not adopted its formal position on the text and “nothing is agreed until everything is agreed”.
The Ministers discussed the following key points of the draft regulation at their meeting last month:
(a) Territorial scope of the Regulation
(b) Pseudonymisation
(c) Data portability – the ability of individuals to move their personal information from one service provider to another
(d) The obligations of data controllers and data processors
(e) Profiling
As the Ministers did not reach agreement on these issues, discussions will continue on these and other areas in the draft Regulation and it is hoped that the Council of Ministers will reach a formal position on their revised version of the text at the Council’s next meeting in June.
There are still three different versions of the draft Regulation:
(a) The European Commission original text from January 2012
(b) The text as amended by the European Parliament (based on the Albrecht Report)
(c) The text as amended by the Council of Ministers
Three-way negotiations (trilogue) involving all the institutions are likely to start in the late summer and latest statements from the Commission have been that the Regulation will be agreed by the end of this year with a two year implementation period.
Many countries including the UK want to focus on getting the text of the Regulation right. Simon Hughes MP recently stated at the ICO conference in March “we are clear that the quality of the text should take precedence over a rush to conclude the negotiations. If the negotiations are rushed, we risk a complicated and prescriptive instrument that could damage growth and employment prospects for years to come”. He also stated that the UK would favour a Directive over a Regulation.
Why this matters:
One thing is clear and that is that Privacy and Data protection are making the headlines and are getting increasing attention from politicians, regulators, industry and consumers.
Irrespective of when new legislation comes (and it will) what is clear is that even under the existing legislation there is increasing focus from all interested parties with increased enforcement, press coverage and potential impact on reputation for an organization if things go wrong.
If you are not complying now you will certainly have issues under any new proposals as the legislation is getting more prescriptive and accountability becomes more important . Build data protection into any developments at an early stage (privacy by design) and carry out privacy impact assessments.
Start by ensuring you are compliant now. Key themes which we know will change include consent, breach notification and controller/ processor obligations. The ICO is also urging industry not to wait or postpone compliance.
Organisations need to understand their current state of compliance and carry out audit assessments – Now.