European Parliament decides for single data protection standard

Single EU Data Protection Regime one step closer

An overwhelming majority of the European Parliament (621 yes / 10 no) today voted in favour of the new regulation on the “Protection of individuals with regard to the processing of personal data” at their session in Strasbourg. Rapporteur Jan-Philipp Albrecht (Green Party) during a press conference before the vote said, the regulation would allow for a high and uniform standard. Now the standard adopted by the parliament has to be negotiated with EU member states, who were too slow to finalise their work on the package before the closing of the legislature. It is expected that the European Council will negotiate with the European Parliament in June.

More discussions lay ahead with regard to the regulation and, more so, the second part of the package, a directive on the “Processing of personal data for the purposes of crime prevention” that was not supported by the conservative European People's Party (EPP) in today's vote. The proposed directive of Socialists & Democrats rapporteur Dimitrios Droutsas received 371 yes votes and was opposed by 276 parliamentarians.

Regulating Google, but not the GCHQ?

During a heated debate yesterday, Droutsas had challenged members of the EPP, asking them not to abandon the package approach. It would be very difficult to explain to citizens, he said, why Google, but not police and law enforcement should be reigned in. The Parliament should not “do the dirty work of governments” - who had delayed standards for data protection in law enforcement, despite abuses in threat field, Droutsas warned during the debate.

Governments had been even slower in their preparations of a joint position on the directive despite the fact that data protection in the so called third pillar – law enforcement - had been on the agenda of the EU legislator for years.

By shying away from a single regulation for the private sector and the police and choosing a directive for the latter, the Commission already granted member states much more flexibility. The regulation for the private sector on the other hand does not need to be implemented. Once passed, it will become an enforceable law in all member states.

Consent and control for citizens

The regulation will be replacing the old 1995 Data Protection Directive which was once hailed as the most progressive standard, yet had as a directive allowed for different implementations and enforcement levels in the member states. The rules of the new regulation which include issues like more and better information for customers as well as consent and deletion rights were no complete novelty, Albrecht said during the press conference.

The big step instead was creating a level playing field for all EU and third country companies by preventing so called forum shopping. “Companies like Facebook or Google so far had chosen for example Ireland over other EU member states [to register their business], expecting to enjoy weaker data protection obligations,” Albrecht said.

A single standard would not only help citizens, though, but also companies by providing them with legal certainty in the Union over a patchwork of 28 different national regimes. The Parliament also decided to beef up enforcement, by including fines of “up to 100 Million Euro or up to 5 percent of the annual worldwide turnover in case of an enterprise, whichever is higher.” Asked where he would have wished more, Albrecht pointed to his unease towards exemptions from consent obligations for companies with what has been characterised as “legitimate interests”. Exemptions for promotion and advertising seem to be very much accepted in modern society, he said. “I think we have to continue this discussion as many people only are starting to realise what this means.”

Not everybody amused

The ink was not yet dry on the vote when a group of industry associations started to voice its “disappointment” over the Parliament's decision. The Industry Coalition for Data Protection (ICDP), a group of 16 EU and international business associations, “expressed regret at the outcome of the European Parliament's Plenary vote today,” an ICDP press release reads. “Many of the provisions in the proposal agreed today - which is unchanged from the text as amended in committee - reflect an overly prescriptive, "freeze-frame" approach that would be unworkable in practice, even for data protection authorities, and would threaten digital innovation and investment while failing to provide meaningful rights or protections to European citizens.”

EU regulation may inspire other data protection initiatives

Asked about the kind of international reaction he expected Albrecht said after the vote, that there had already been a lot of dialogue. Even non-EU-bodies including the US Chamber of Commerce and NGOs and Civil Rights organisations in the United States had participated in the discussions over drafts of this regulation. The White House is also looking at drafting legislation in the field of online privacy, Albrecht said, expressing that similar legislation in third countries certainly might help to facilitate “transatlantic data flows and transatlantic common markets.” Droutsas even went one step further: “it may sound ambitious, but I am convinced the time has come to talk about a world regime on data protection.”

First things first

Yet before data protection goes international, the EU member states have to come to grips on their position with regard to the data protection package and, negotiations with Albrecht and Droutsas need to be successful. While the Greek Presidency said it was committed to have a negotiation mandate in place in June – after the EU elections – , details and even the legal nature or packaging of the two instruments could still be questioned. “Quality” was mentioned by Dimitris Kourkoulas, Greece’s Deputy Foreign Minister, as a reason why member states were taking more time - from the time it was tabled by the Commission in January 2012 up until now.