In January 2012, the European Commission proposed a comprehensive reform of Europe’s data protection rules to strengthen individual online privacy rights and to create certainty around the operating environment for Europe’s rapidly developing digital economy.
Although at the time of the original EU Data Protection Directive in 1995, it was thought that Europe had created strong fit-for-purpose regulation, rapid technological change – combined with alarming revelations about inappropriate surveillance and governments abusing personal data collection – made it imperative that further regulatory action be taken.
Essentially, the Commission’s proposals aim to address the needs of individuals and citizens although in quite different ways.
For the citizen, there is the new ‘right to be forgotten’ which will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, then it will be deleted. Similarly, citizens will have an enhanced right of access to data held on them. Permission to process such data can no longer be assumed – individual permission must be given explicitly and individual citizens will have a much easier transfer of data from one service provider to another and must be notified directly and promptly of any serious data breaches.
Extensive research by the Commission has shown increasing public concern about the security of personal data and broad support for the Commission’s proposals.
In recognising that “data is the currency of the digital economy”, the Commission has estimated the value of Europe’s data at a figure approaching €1 trillion and argued that strengthening Europe’s data security is actually an economic opportunity. The benefits to business and the European economy generally, are threefold.
Firstly, the regulation will establish a single pan-European law for data protection replacing the current patchwork of national laws. Secondly, the regulation will establish a one-stop-shop where businesses will only have to deal with one regulatory authority, rather than 28, making it cheaper to do business across Europe. Thirdly, the same rules will apply to all companies large or small, irrespective of where they are established.
Non-EU companies will still be bound by EU data protection regulation and there will be hefty penalties for non-compliance. There will also be some lessening of red tape for SMEs in the overall operation of the regulation.
The Commission argues that all of this will actually give European business a competitive advantage globally, as data security becomes an increasingly important issue worldwide.
In October 2013, the Commission’s proposals (brought forward by the Commission’s Directorate-General for Justice) were approved by a large majority by the European Parliament’s leading Committee on Civil Liberties, Justice and Home Affairs. On 12 March 2014, the proposals were approved by the full Parliament which settles the view of the Parliament on the issue even though the Parliament will have a new make-up following the forthcoming elections.
Welcoming the vote, EU Justice Commissioner Viviane Reding said: “We need to get serious on data protection. The European Parliament understood. Today’s vote is the strongest signal that we need to deliver this reform for our citizens and our businesses.”
The proposals now pass to the European Council for final negotiations and indications are that the Directive will be completed in this calendar year.
In the meantime, there are a number of legal cases under way in Europe where citizens and groups are challenging existing data retention issues.
These cases may yet impact the Commission’s and the Council’s final deliberations.
The data vote
MEPs approved the Directive by 371 votes to 276 at its first reading on 12 March with eight Irish MEPs in favour and four against. The four objectors were the Fine Gael MEPs, who followed the European People’s Party (EPP) line i.e. that the Directive should not cover data held by the police and law enforcement authorities.
The law now passes to the Council of Ministers, which tends to be more conservative than the Parliament. Ministers, unlike MEPs, are directly responsible for policing and security policy on a day-to-day basis and will be reluctant to allow interference with law enforcement work.
Of the 28 national governments, 14 are led by conservatives, 10 by the centre-left and four by liberals. The next Council meeting to discuss data protection reform will take place in June.
Members of the public can follow the results of EU votes at www.votewatch.eu