By Robert Stankey The European Parliament has finalized its version of the proposed Data Protection Regulation, which would substantially change personal data protection rules in the 31-country European Economic Area. The Parliament’s LIBE committee voted October 21 on a final package of amendments to the European Commission’s draft regulation in January 2012. After formal approval by the full Parliament, negotiations will begin with national governments (through the Council of the European Union) on a final version of the legislation. Key features of the amendments are:
- Higher penalties - Violations could be punished through the imposition fines of up to the greater of €100 million ($137 million) or 5% of annual worldwide revenue (compared with €1 million or 2% proposed by the Commission).
- Breach notification – Regulators and, in certain circumstances, affected individuals still must be notified of data breaches, but the 24-hour notification deadline that had been proposed by the Commission has been eliminated.
- Consent – Affirmative action (such as through a writing or an online acceptance) is required to show consent. Implied consent through use of a service is not sufficient.
- Right of erasure – Existing rights to request the deletion of personal data have been strengthened as a replacement for the Commission’s controversial and ill-defined proposal for a “right to be forgotten”.
- Disclosure to foreign governments – New provisions would make it a violation to disclose information that is processed in the EU to a foreign government without the approval of a data protection authority.
- Standardized information disclosures – Standard information disclosures have been specified, including an icon-based compliance scorecard.
- Pseudonymous data – A new category of personal data that cannot be attributed to a specific individual will be subject to a different set of privacy rules.
- Profiling – Use of personal data for analytic or predictive purposes would require an individual’s consent and provide a mechanism to object to profiling.
- Extraterritorial application – Parliament has somewhat strengthened provisions that would make data protection rules applicable to all non-European companies that offer goods or services to Europeans or that monitor Europeans. Data processing within Europe would no longer be required for EU privacy rules to apply.
- Home regulator – Data controllers would be subject to enforcement by the regulator where they have their main establishment in Europe.