European Parliament Approves EU Data Protection Regulation Draft

The European Parliament has voted to approve the draft text of the Data Protection Regulation, which is expected to become European law in the near future.

The document gives more power to the users of online services, proposes stronger safeguards for EU citizens’ data that gets transferred abroad, and considerably increases the fines that can be imposed on companies that break the rules.

The draft of the Regulation was approved by overwhelming majority, with 621 member of the European parliament voting in favour, and only ten against.

In order to become law, the proposed Regulation will have to be adopted by the Council of Ministers using the “ordinary legislative procedure”, but today’s vote means the position of the Parliament is now set in stone and will not change even if its composition changes following European elections in May.

Regulation for the new century

The vote on Data Protection Regulation has been delayed several times, with US lobby groups and even some European governments attempting to “water down” the proposals. Critics of the new rules say they increase regulatory burden, and will have a disproportionate effect on smaller businesses.

“The citizens of Europe expect us to deliver a strong EU wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them,” said Jan Philipp Albrecht, rapporteur for Data Protection Regulation.

The current EU directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” had been approved in October 1995, long before the Internet became the driving force behind some of Europe’s major economies. The recent revelations about surveillance practices of the US National Security Agency (NSA) have also highlighted the need for reform.

According to some estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020.

Right to be forgotten

Under the new rules, any company that wants to disclose any EU citizen’s personal data to an entity outside of the Union will have to seek permission of a national data protection authority, and adhere to the Data Protection Regulation. It is thought that this measure will protect European Internet users from intrusive data collection by foreign intelligence agencies.

Despite some concern, the draft Regulation keeps the “right to be forgotten” – European users of online services will be able to request their data to be deleted if there are no legitimate grounds to retain it. It also establishes limits to user “profiling” and adds the requirement to use plain language to explain privacy policies.

Among the most interesting changes is the huge increase in maximum fines for breaking the rules, from €1 million or two percent of worldwide annual turnover to €100 million, or up to five percent of annual worldwide turnover.

The Commission has proposed to exempt small and medium enterprises from some provisions of the Data Protection Regulation to ease financial burden. There will also be a separate directive governing the use of personal data to prevent, investigate or prosecute criminal offences or enforce criminal penalties.

No way back

“The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible,” said Justice Commissioner Viviane Reding. “Europe’s directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens.”

Some independent observers have welcomed the announcement: “There may be much to criticise in the compromise position but as an overall package, it represents a well thought out attempt to update EU privacy laws and provide businesses wishing to develop techniques making intensive use of personal data with clearer guidance on the areas of concern and to give individuals greater certainty as to how their personal data will be handled,” commented Mark Prinsley, head of Intellectual Property at international law firm Mayer Brown.

But not everyone is happy about the changes – the Industry Coalition for Data Protection (ICDP), a group of 16 associations representing “thousands” of European and international companies, has described the draft as unworkable.

“The proposal approved by the European Parliament lacks the balanced and future-proof rules needed to protect people’s personal data while preserving the ability of European businesses to innovate and thrive.” Chris Sherwood, head of public policy for Allegro Group, speaking on behalf of ICDP. “The stakes are high, and this proposal must be improved as legislative scrutiny on this dossier continues.”

What do you know about Europe’s role in Tech history? Take our quiz!