'Breakthrough' on EU data protection bill
After 18 months of intense negotiations, MEPs spearheading the European Data Protection regulation have reached a compromise.
The heavily lobbied draft bill, which included a record-breaking 4,000 amendments, is now set for a committee orientation vote in the next plenary session in Strasbourg.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
“I think it is a huge success, I really think we achieved something that many people doubted we would be able to achieve,” German Green Jan Albrecht told reporters in Brussels on Thursday (17 October).
Albrecht is confident of a 'Yes' vote, scheduled for Monday (21 October) evening, after obtaining a broad consensus on the hundred or so compromises in the text.
All the political groups, he noted, have backed the version.
“It’s a win-win situation for European companies, for European citizens, for consumers of the digital market in Europe,” he said.
The MEPs are pushing to get an agreement before the May 2014 elections.
The document will bypass plenary debate and vote in order to kick start inter-institutional negotiations to reach a more timely agreement.
But Paris-based Internet campaign group La Quadrature du Net described the parliament’s tactic as an “obscure hijacking of the democratic debate” because of the closed-door nature of such meetings.
“The only objective of the negotiating team in this manoeuvre seems to be able to boast about this regulation being the best achievement ever reached in the field of data protection, even if that is yet far from the case and could even get worse,” noted the group in a statement.
The regulation, which aims to create a single set of binding data protection rules across the EU, will replace the 1995 EU directive currently in use.
Everything, with the exception of national security and police and justice cooperation, falls under its scope.
A so-called anti-FISA clause, removed at the Commission’s draft stage of the document following pressure from the US, is now back in the draft.
The text sets up a legal framework in an effort to coerce US-based companies from indiscriminately passing on the personal details of EU citizens to US law enforcement and its intelligence agency.
A company would face fines, on the basis of the European Union law, if the transfer took place without the legal basis.
“This article has now been included in the compromises accepted by all political groups in this house,” said Albrecht.
In broad terms, the draft agreed upon by the MEPs is said to re-enforce the role of data protection authorities and reduce some compliance requirements on small businesses.
Companies that break the rules can be fined up to 5 percent of their yearly turnover. The commission’s original proposal set the sanction threshold at 2 percent.
Data protection officers, to ensure the regulation is properly applied, are mandatory within the business but with conditions.
The number of people whose data is processed, not the business size in terms of personnel, will determine if they must hire the officer though some exceptions apply to small businesses.
The right to be forgotten is now called the ‘right to erasure’ but the meaning remains similar to what is outlined in the 1995 directive, says Albrecht.
“The right we are talking about here, is the right to deletion and the right to erasure,” Albrecht noted.
If a person asks an Internet giant to remove his personal data, then the company must also communicate the request to others where the data is duplicated. Ilegally published private data would have to removed.
Consent, for a company to use a person’s data, must also be explicit.
But a source close to the file told this website that it is up to the company to determine the balance of what is in the consumer's 'legitimate interest' and their own rather than having to seek out consent.
A company that sells a car, for instance, can then pass on direct marketing materials to the client on other products without asking.
He noted that the MEPs, at their last meeting on Wednesday, negotiated on core issues up to the very last minute.
“People are happy this is finished,” he said.