Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries. They also inserted an explicit consent requirement, a right to erasure, and bigger fines for firms that break the rules.
The vote has already triggered fresh fears, especially over consent for marketing data, but what does the committee itself believe? “This evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws”, commented rapporteur for the general data protection regulation, Jan Philipp Albrecht (Greens/EFA, DE), after the vote.
“Parliament now has a clear mandate to start negotiations with EU governments. The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens’ interests and deliver an urgently-needed update of EU data protection rules without delay. EU leaders should give a clear signal to this end at this week’s summit”, he added.
“The protection of European citizens’ personal data remains a key issue for us. Member states and the Council must move fast now. It is their turn to act. The EU’s Heads of State and Government will have an excellent opportunity to show their decisiveness at the next meeting of the European Council in a few days. We are all waiting for this”, said rapporteur for the directive on the protection of personal data processed for law enforcement purposes, Dimitrios Droutsas.
Data transfers to non-EU countries
According to the adopted text, if a third country requests a company (eg. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request, MEPs say. This proposal is a response to the mass surveillance activities unveiled by the media in June 2013.
Companies breaking the rules would face fines of up to €100 million or up to 5% of annual worldwide turnover, whichever is greater, MEPs say (the Commission proposed penalties of up to €1 million or 2% of worldwide annual turnover).
Right to erasure
According to the Civil Liberties Committee, any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a “data controller” (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The “right to erasure” would cover the “right to be forgotten” as proposed by the Commission.
Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person’s consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action.
Civil Liberties Committee MEPs clarify that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it, MEPs add.
MEPs set limits to profiling, a practice used to analyse or predict a person’s performance at work, economic situation, location, health or behaviour. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, MEPs say.
The data protection package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU, both in public and private sectors, and a directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement). The current data protection directive dates from 1995, before the Internet came into widespread use, and does not cover data processed for law enforcement purposes.
The new rules update existing data protection law principles to take account of the challenges posed by new information technologies, globalisation and the growing tendency to use personal data for law enforcement purposes.
The committee vote also sets out Parliament’s mandate to start negotiations with national governments in the Council. Inter-institutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections.
There is also plenty of background reading in these related stories
Fresh fears over EU data laws
New EU data laws ‘back on track’
EU chief battles to save data laws
EU plots ‘light’ version of data laws
Personal data to be worth €1trillion
Future of EU laws ‘clear as mud’
‘Safe harbour’ faxes axe in review
Merkel fury could hit EU data fight
Prism-gate row: now Sorrell wades in
EU chiefs calm fears over opt-in
Prism-gate may scupper EU data war
Prism row engulfs marketing data
New delay fuels EU data warning
Clock ticks on EU after new delay
EU: ‘Don’t panic, don’t panic’ – ICO
EU data laws ‘may never be passed’
Sceptics blast EU consent claims
Industry hails EU ‘extra time’
EU data laws enter the ‘hot phase’
EU data law: ‘It’s the DMA wot won it’
Does anyone give a toss about DM?
MEPs pass 900 amendments to data laws
DM chiefs urged join war on EU laws
First victory in war on EU data laws
EU: Full steam ahead on new laws
Bosses ‘clueless on new EU laws’
EU data laws ‘just got a lot worse’
Germans seek tougher EU data laws
DMA rallies team for £47bn fight
New EU data laws ‘to cost millions’
To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact email@example.com). If you are an existing user, please log in. If you have forgotten your log-in details please email firstname.lastname@example.org to get them reset!