EU Data Protection Reform EndorsedEuropean Parliament Backs Measure; Other Hurdles Remain
In a preliminary step toward enactment of a new data protection law, the European Parliament on March 12 approved the European Commission's data protection reform, a draft document proposing a comprehensive overhaul of the EU's 1995 data protection directive.
"All this says is that the EU Parliament supports the draft document," says Francoise Gilbert, privacy attorney at the IT Law Group. Before the regulation, proposed in January 2012, can go into effect, it still must win the approval of the 28 EU member nations through the Council of Ministers of the European Union, Gilbert explains.
"For now, they are not in agreement, and they are not ready to vote to approve the document," she notes.
Trevor Hughes, president and CEO of the International Association of Privacy Professionals, says the passage of the reform by the EU parliament is a "strong indication of political will to see the data protection regulation realized. However, acceptance by the [Council of Ministers] remains unclear, with some EU nations actively advocating against approval."
Gilbert says the data protection reforms will undoubtedly be modified further. If the measure eventually is enacted, Gilbert says it most likely will: increase protection for consumers; reduce the paperwork, filings and registrations required of companies; increase companies' obligations to have appropriate privacy and security measures; increase the powers of the data protection authorities; and increase the amount of penalties.
The reform endorsed by the European Parliament outlines three main objectives:
- Establish a single, pan-European law for data protection, replacing the current "inconsistent patchwork" of 28 national laws;
- Create one supervisory authority for all 28 nations;
- Adopt stricter fines for companies that do not comply with data protection laws.
Under the original proposal, companies that do not comply with the EU rules would be fined up to 2 percent of their global annual revenue. But the European Parliament voted to increase the fines to 5 percent of a company's annual global revenue, according to the The Wall Street Journal.
The data protection reform also offers enhanced protections for citizens, including: a right to have personal data deleted if there are no legitimate grounds for retaining it; easier access to personal data; greater control of their data in terms of consent and processing; and notification from organizations without undue delay about data breaches that could have an adverse impact, according to the European Commission, the executive body of the European Union responsible for proposing legislation.
Under the current proposal, small and midsize businesses would be exempt from several provisions of data protection regulation. For example, they would not need to have a data protection officer if data processing is not their core business activity, the commission says.
Global companies that operate in the European market would also be subject to the proposed European data protection law, according to the commission. "For a strong European digital industry to compete globally we need a level playing field," the commission says.
"The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible," says EU Justice Commissioner Viviane Reding, the European Commission's vice president. "Europe's directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens."
For U.S. businesses, Hughes of the IAPP says the outlook remains "a bit unstable and fraught with risk."
"European governments and companies are calling for more euro-centric processing of data, raising competitive risks," he says. "And EU regulators are still very active under the existing directive and laws. Overall, vigilance and good risk management in privacy are the best tools for the coming months."