Euro-deputies diverge on data protection details
Euro-deputies are thrashing out the details on European data protection reform, with the latest debates split on provisions on "territorial scope."
The European Commission wants the legislation to cover non-EU entities that process data of EU citizens.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
But a source close to the file told this website on Friday (24 May) the deputies are unable to reach an agreement on the detail of the scope.
MEPs focusing on the draft regulation met in Strasbourg on Wednesday in a closed-session event in one of many attempts to whittle down the thousands of amendments.
They want to converge the parliament’s final draft before it goes to an orientation vote in the civil liberties committee, possibly in early July.
The regulation aims to increase the fundamental rights of EU citizens by harmonising data protection guarantees across the EU under a single law.
UK Liberal MEP Baroness Sarah Ludford at Wednesday’s meeting argued that companies in the EU which cater only to non-EU residents should be exempt from the regulation, says the source.
When questioned on the exemption, Ludford told this website that there is a need to “get legal clarity on which individuals are covered by the proposed regulation, whether it is people when they are present in the EU or those outside the EU.”
She noted such clarity does not “seem to exist, which is a very bad way to make legislation.”
The diverging deputies agreed to have the commission step in to mediate the issue.
Articles on information and documentation also generated heated debate.
A company collecting personal data is required to provide the person with a list of information, according to the draft regulation.
This includes, among others, the identity and contact details of the company and the length of time the company will store the data.
The regulation also calls for companies to maintain documentation of all processing operations under its responsibility.
Some of the information required involves the name and contact details of the data protection officer (if any), the purpose of data processing, and name and contact details of the companies.
Ludford argues some of the requirements in both articles are overly excessive.
“I want strong provisions on information rights for individuals but insist that they should be clear and workable and not end up in people being deluged with reams of useless bumpf,” she said.
Ludford explained that forcing companies to keep routine bureaucratic records as opposed to concentrating on evaluating risks, “is a combination which in my opinion would be the worst of all worlds.”
The source noted that both provisions are already in current law.
One of the lead rapporteurs at the meeting “exploded” over Ludford’s insistence on the wording, says the source.