(Mar. 28, 2014) On March 12, 2014, the European Parliament voted on a first reading of a major reform of European Union legislation on personal data protection, which had been proposed by the European Commission in 2012. The proposal consists of two major legislative pieces:
a) a comprehensive Regulation that will replace the outdated 1995/43/EC Directive on the subject and result in uniform application of the rules on personal data; and
(b) a Directive on protecting personal data processed for the purposes of prevention, detection, investigation, or prosecution of criminal offenses and related judicial activities.
The draft Regulation was adopted by 621 votes, with 10 against and 22 absent. The draft Directive was approved by 371 MPs, with 276 voting against it and 30 absent. (Press Release, European Parliament, MEPs Tighten Up Rules to Protect Personal Data in the Digital Era (Mar. 12, 2014).) The new rules adopted by the Parliament focus on the following issues.
Data Transfers to Non-EU Countries
Due to surveillance activities conducted by the U.S. National Security Administration (NSA) on American citizens, which also encroached on the privacy and personal data of EU citizens, the Parliament paid particular attention to data transfers to non-EU countries. Under the proposal, any firm, including any cloud services provider, social network, or search engine, is required to obtain prior authorization from a national data protection authority in the EU before allowing access to an EU citizen’s personal data. Another important requirement is that the firm must inform the person concerned whose data will be accessed. (Id.)
While the European Commission had proposed fines of the larger of either €1 million (about US$1.38 million) or 2% of the fined company’s world-wide annual turnover, the Parliament recommended stiffer penalties, up to €100 million (about US$138 million), or up to 5% of the organization’s annual world-wide turnover, whichever is larger. (Id.)
The Parliament’s proposal also endorses the right of EU citizens to have their personal data deleted (the right to be forgotten) and imposes additional restrictions on “profiling” through such acts as using personal data to make predictions about a person’s performance at work. Moreover, Internet service providers must use clear and unambiguous language to explain privacy policies and use of personal data. (Id.)
The proposal will next be voted on by the upcoming Parliament, which will be in place following elections in May 2014. (Id.)