On 12 March 2014, the European Parliament voted in favour of the revised draft EU Data Protection Regulation.  To become law the proposed Regulation must be adopted by the EU Council using the "ordinary legislative procedure".  The EU Council is due to meet in June 2014.

Background

The proposed Regulation was originally presented by the European Commission on 25 January 2012.  It has been the subject of voracious debate both in Brussels and across the EU, and has been subject to much re-drafting.   
 

Key Changes

  • A single, pan-European law for data protection.  The Regulation will replace the 1995 Data Protection Directive (95/46/EC) which has been inconsistently implemented in the 28 Member States of the EU.  This means companies will deal with one law, rather than 28.
  • A ‘one-stop-shop’ for businesses and individuals. Companies and individuals will only have to deal with one supervisory authority, not 28.  This should make it easier and cheaper for companies to do business in the EU.
  • Creation of a level playing field between non-European and European businesses.  Non-European companies, when offering services to Europeans, will have to apply European rules, and adhere to the same levels of protection of personal data.
  • Stronger enforcement powers.  Companies who do not comply with the EU rules will be liable to fines of up to €100 million or up to 5% of annual worldwide turnover, whichever is greater.
  • The right to be forgotten.  Individuals may request their data to be deleted when there are no legitimate grounds for it to be retained.
  • The right to data portability.  This right will make it easier for individuals to transfer their personal data between service providers.
  • Explicit Consent.  Consent to process data must be explicitly given.  It cannot be assumed.
  • Data Breach notification.  There will be a mandatory obligation for businesses across all sectors of the economy, to inform the supervisory authority and any individuals adversely affected, without undue delay, of any data breaches.
  • Reduction in costs and red tape for SMEs.  In a number of cases, the obligations of data controllers and data processors are calibrated according to the size of the business.  For example, SMEs will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core activity, nor will they be fined for a first and non-intentional breach of the rules.

Next Steps

The European Parliament now stands ready to negotiate the final text of the Regulation with the EU Council as soon as the Council defines its position.