Monday, the LIBE Committee of the European Parliament (the Committee responsible for Civil Liberties, Justice, and Home Affairs) approved a data protection package that consists of a new EU Data Protection Regulation, as well as a Directive covering the processing of data by law enforcement authorities. The vote, originally scheduled for April 2013, was postponed several times because so many amendments (over 3,000) were received from consumers, industry, and other stakeholders.

A proposal to amend the EU’s 1995 EU Data Protection Directive with a “regulation” that would apply to all EU member states was first announced by the EU Commission in 2012, after which the EU Council and EU Parliament began their review of the proposals.

The Proposed EU Data Protection Regulation Controversy

Since the Commission’s announcement, the regulation has engendered much controversy, resulting in a piece of legislation that the Guardian recently described as the most “most intensely lobbied” in the EU. Requirements like express consent for all processing of personal data, a “right to be forgotten,” and a 24-hour breach notification period drew concerns from both industry and regulators alike because of their restrictive and prescriptive nature.

The European Council weighed in with its response in June 2013, recommending a less strict, “risk-based” approach to data protection that emphasizes the twin goals of EU data protection law: data protection and the free flow of data flows. For instance, the Council’s proposal recommends a more contextual approach (based on how well the user is informed and available technologies) to consent and the right to be forgotten.

The European Parliament – led by the LIBE Committee and its lead “rapporteur,” Jan Albrecht – also continued their review, voting on and releasing their recommendations Monday. As expected, the LIBE Committee draft preserves much of the Commission’s original recommendations – here are the highlights:

    • Data transfers to non-EU countries – these could only happen if approved by the national data protection authority of the EU member country in question. If approved, it is unclear whether the EU Safe Harbor agreement will still be valid for EU-US data protection transfers.
    • Explicit consent for all processing of personal data.  Explicit consent is defined as the “freely given, specific, informed and explicit indication” of a user’s wishes, either by a statement or a clear affirmative action.
    • A Right to Erasure – a right to have personal data erased if requested by the user.
    • Profiling – Profiling includes analyzing a user’s online behavior for the purposes of marketing and advertising. The LIBE proposals restrict profiling based on personal data but exempts profiling based on pseudonymous data (which is defined as “personal data that cannot be attributed to a specific data subject without the use of additional information.”)
    • Sanctions – For data protection violations, the LIBE Committee proposes 5% of annual turnover or $100 million euros (compared to the Commission’s proposed 2%), whichever is greater.

Negotiations Remain Before a Final Agreement is Reached

As recent events have shown, the story around both the EU Regulation and Directive continues to evolve daily, with recent revelations about the U.S. NSA surveillance program clearly impacting the final form of both the data protection regulation and the law enforcement directive.

Now that the LIBE Committee has provided its recommendations, Jan Albrecht will negotiate with the EU Council over the provisions. The EU Parliament, Council, and Commission must also decide the final format of the “trialogue” process – in which all three entities must reach an agreement on what the final EU data protection law will look like. This agreement must happen before the Parliamentary elections in May 2014 so that the full Parliament can vote on the Regulation before the current EU parliament session ends.

TrustArc continues to monitor the situation closely. Last week, our CEO Chris Babel joined other speakers at the Compliance Week Conference in Brussels, where the proposed changes to the EU’s data privacy rules were one of the main topics of discussion. And that discussion continues to evolve daily, as Monday’s LIBE Committee now sets into motion a series of events that will decide whether or not the regulation and directive will become EU law before the current parliamentary session ended in April 2014.

As always, TrustArc will closely follow all of these important developments in the EU and offer advice and privacy solutions to businesses looking to stay ahead of the proposed changes.