TrustArc Blog

Proposed EU Data Protection Regulation Moves a Step Closer

October 23, 2013

Saira Nayak

Monday, the LIBE Committee of the European Parliament (the Committee responsible for Civil Liberties, Justice and Home Affairs) approved a data protection package that consists of a new EU Data Protection Regulation, as well as a Directive covering the processing of data by law enforcement authorities.  The vote, originally scheduled for April 2013, was postponed several times because so many amendments (over 3,000) were received from consumers, industry and other stakeholders.

A proposal to amend the EU’s 1995 EU Data Protection Directive with a “regulation” that would apply in all EU member states was first announced by the EU Commission in 2012, after which, the EU Council and EU Parliament began their review of the proposals.

Since the Commission’s announcement, the regulation has engendered much controversy, resulting in a piece of legislation that the Guardian recently described as the most “most intensely lobbied” in the EU. Requirements like express consent for all processing of personal data, a “right to be forgotten,” and a 24-hour breach notification period, drew concerns from both industry and regulators alike because of their restrictive and prescriptive nature (some additional discussion on TRUSTe’s blog from November 2012 – here).

The European Council weighed in with its response in June 2013, recommending a less strict, “risk-based” approach to data protection that emphasizes the twin goals of EU data protection law:  data protection and the free flow of data flows (see this comprehensive summary on Hunton’s blog for more).  For instance, the Council’s proposal recommends a more contextual approach (based on how well the user is informed, available technologies, etc.) to consent and the right to be forgotten.

The European Parliament – led by the LIBE Committee and its lead “rapporteur,” Jan Albrecht – also continued their review, voting on and releasing their recommendations Monday.  As expected, the LIBE Committee draft preserves much of the Commission’ original recommendations – here are the highlights:

  • Data transfers to non-EU countries – these could only happened if approved by the national data protection authority of the EU member country in question. If approved, it is unclear whether the EU Safe Harbor agreement will still be valid for EU-US data protection transfers.
  • Explicit consent for all processing of personal data.  Explicit consent is defined as the “freely given, specific, informed and explicit indication” of a user’s wishes, either by a statement or a clear affirmative action.
  • A Right to Erasure – a right to have personal data erased if requested by the user.
  • Profiling – Profiling includes analyzing a user’s online behavior for the purposes or marketing and advertising.  The LIBE proposals restrict profiling based on personal data, but exemps profiling based on “pseudonymous data” (which is defined as “personal data that cannot be attributed to a specific data subject without the use of additional information.”)
  • Sanctions – For data protection violations, the LIBE Committee proposes 5% of annual turnover or $100 million euros (as compared to the Commission’s proposed 2%), whichever is greater.

As recent events have shown, the story around both the EU Regulation and Directive continues to evolve daily, with recent revelations about the US’ NSA surveillance program clearly impacting the final form of both the data protection regulation and the law enforcement directive.

Now that the LIBE Committee has provided its recommendations, Jan Albrecht will negotiate with the EU Council over the provisions.  The EU Parliament, Council and Commission must also decide the final format of the “trilogue” process – in which all three entities must reach agreement on what the final EU data protection law will look like (for more, Covington’s Inside Privacy has an excellent summary of the trilogue process).  This agreement must happen before the Parliamentary elections in May 2014, so that the full Parliament can vote on the Regulation before the current EU parliament session ends.

TRUSTe continues to monitor the situation closely.  Last week, our CEO Chris Babel joined other the speakers at the Compliance Week Conference in Brussels, where the proposed changes to the EU’s data privacy rules was one of the main topics of discussion.  And that discussion continues to evolve daily, as Monday’s LIBE Committee now sets into motion a series of events that will decide whether or not the regulation and directive will become EU law before the current parliamentary session ends in April 2014.

As always, TRUSTe will closely follow all of these important developments in the EU, and offer advice and privacy solutions to businesses looking to stay ahead of the proposed changes. Join us on 11/5 for a webinar featuring Caitlin Fennessy of the Department of Commerce’s Data Flows and Privacy Team of the Office of Digital Services Industries, and myself.