A major overhaul of current EU data protection rules, to put people in control of their personal data while at the same time making it easier for companies to move across Europe, was voted by the Civil Liberties Committee on Monday. Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries. They also inserted an explicit consent requirement, a right to erasure, and bigger fines for firms that break the rules.
"This evening's vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws", commented rapporteur for the general data protection regulation, Jan Philipp Albrecht (Greens/EFA, DE), after the vote.
"Parliament now has a clear mandate to start negotiations with EU governments. The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens' interests and deliver an urgently-needed update of EU data protection rules without delay. EU leaders should give a clear signal to this end at this week's summit", he added.
"The protection of European citizens' personal data remains a key issue for us. Member states and the Council must move fast now. It is their turn to act. The EU's Heads of State and Government will have an excellent opportunity to show their decisiveness at the next meeting of the European Council in a few days. We are all waiting for this", said rapporteur for the directive on the protection of personal data processed for law enforcement purposes, Dimitrios Droutsas (S&D, EL).
Data transfers to non-EU countries
According to the adopted text, if a third country requests a company (eg. a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request, MEPs say. This proposal is a response to the mass surveillance activities unveiled by the media in June 2013.
Companies breaking the rules would face fines of up to €100 million or up to 5% of annual worldwide turnover, whichever is greater, MEPs say (the Commission proposed penalties of up to €1 million or 2% of worldwide annual turnover).
Right to erasure
According to the Civil Liberties Committee, any person would have the right to have their personal data erased if he/she requests it. To strengthen this right, if a person asks a "data controller" (e.g. an Internet company) to erase his/her data, the firm should also forward the request to others where the data are replicated. The "right to erasure" would cover the "right to be forgotten" as proposed by the Commission.
Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person's consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action.
Civil Liberties Committee MEPs clarify that the execution of a contract or the provision of a service cannot be made conditional upon consent to processing personal data that is not strictly needed for the completion of that contract or service. Withdrawing consent must be as easy as giving it, MEPs add.
MEPs set limits to profiling, a practice used to analyse or predict a person's performance at work, economic situation, location, health or behaviour. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, MEPs say.
The data protection package consists of two draft laws: a general regulation covering the bulk of personal data processing in the EU, both in public and private sectors, and a directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement). The current data protection directive dates from 1995, before the Internet came into widespread use, and does not cover data processed for law enforcement purposes.
The new rules update existing data protection law principles to take account of the challenges posed by new information technologies, globalisation and the growing tendency to use personal data for law enforcement purposes.
The committee vote also sets out Parliament's mandate to start negotiations with national governments in the Council. Inter-institutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections.
The negotiating mandate for the regulation was adopted by 51 votes to 1, with 3 abstentions.
The negotiating mandate for the directive was adopted by 47 votes to 4, with 1 abstention.
In the chair: Juan Fernando López Aguilar (S&D, ES)