The European Parliament has issued two draft reports (here and here) on the reform of European data protection rules, proposed by the European Commission last January, expressing “full support for a coherent and robust data protection framework with strong end enforceable rights for individuals” — and stressing the need for “a high level of protection for all data processing activities in the European Union to ensure more legal certainty, clarity and consistency”, according to an EC memo issued today.
The memo notes that the European Parliament supports the objectives of its proposed reform — namely:
to establish a comprehensive approach to data protection, to strengthen online privacy
rights and to do away with the current fragmentation of 27 different national data protection
laws which are costly and burdensome for businesses operating on Europe’s single market.
The EC cites research indicating that the majority of Internet users are worried about giving away too much personal data online. This increasing mistrust of online services is a factor the Commission believes could undermine the region’s digital economy — unless robust, transparent and consistent data protection rules are established by reforming existing European data protection rules.
Among the key points in the European Parliament’s draft reports are support for replacing the current 1995 Data Protection Directive with a “directly applicable Regulation with a single set of rules on data protection”; and support in principle for the EC’s proposal for a “one-stop-shop” for companies operating in multiple EU countries/consumers wanting to complain about a company established in a country other than their own.
The memo notes that the European Parliament wants to “create a powerful and independent EU data protection agency entrusted with taking legally binding decisions vis-à-vis national data protection authorities”. It is also supportive of strengthening users’ rights — encouraging the use by companies of pseudonymous and anonymous data, and further proposing to strengthen the concept of “explicit consent” for data to be legally processed by asking companies to use “clear and easily comprehensible language” — a principle it also wants to see applied to privacy policies.
On the so-called ‘right to be forgotten’ — a clause that has its critics, such as Facebook — the Parliament is proposing “further reinforcing” the “right to erase one’s data if there are no legitimate grounds to retain it” by “asking companies which have transferred data to third parties without a legitimate legal basis to make sure these data are actually erased”.
A spokeswoman for the Commission told TechCrunch that the Parliament is taking a “more strict” stance on the right to be forgotten portion of the EC’s proposed reform. The Parliament is proposing an amendment to the EC’s wording — changing the proposed ‘right to be forgotten’ to a ‘right to erasure and to be forgotten’ [amendment 34 of the Albrecht report].
Commenting on the Parliament’s reports, Facebook’s Erika Mann, Head of EU Policy in Brussels, said: “We welcome the thoughtful approach of the rapporteur on many issues. However, we are concerned that some aspects of the report do not support a flourishing European Digital Single Market and the reality of innovation on the Internet – which is inescapably global in nature, and which includes important partners like the US. We will be examining these proposals closely in the coming weeks.”
Elsewhere, the Parliament’s draft reports are also in agreement with the proposal that EU rules must apply if personal data of individuals in the EU is handled abroad by companies which are not established in the Union — even if they are providing free (rather than paid for) services. The EC spokeswoman said the Parliament’s view on “territorial scope” is also more strict than the EC’s proposal.
“They want a powerful data protection agency and they have created new categories of data (pseudonymised and anonymised data for example),” she added. The memo also notes that the Parliament is supportive of the need for independent national data protection authorities which are “well-equipped to better enforce the EU rules at home”. It also welcomes the EC’s proposal to empower national authorities to fine companies that violate EU data protection rules.
Viviane Reding, EC Commissioner for justice, fundamental rights and citizenship, tweeted today she’s “looking forward to swift adoption by both EP [European Parliament] and Council” of the new data protection rules. Adding in a second tweet:
Good to see the #EP rapporteurs supporting strong and uniform #EU data protection rules #EUDataP bit.ly/VQjIti
— Viviane Reding (@VivianeRedingEU) January 8, 2013
The draft reports will be discussed by the European Parliament’s LIBE Committee on January 10.
The EC added that it will “continue to work very closely with the rapporteurs of the European Parliament and with the Council to support the Parliament and the Irish EU Presidency in their endeavour to achieve a political agreement on the data protection reform by the end of the Irish Presidency”.
The full EC memo follows below.
MEMO/13/4
EUROPEAN COMMISSION
MEMO
Brussels, 8 January 2013
Commission welcomes European Parliament rapporteurs’
support for strong EU data protection rules
European Parliament rapporteurs today presented two draft reports on the reform of the EU’s
data protection rules proposed by the European Commission just a year ago (see IP/12/46
and MEMO/12/41). In their reports, Jan-Philipp Albrecht, rapporteur for the proposed Data
Protection Regulation for the Civil Liberties, Justice and Home Affairs Committee (LIBE) of
the European Parliament, and, Dimitrios Droutsas, rapporteur for the proposed Data
Protection Directive for the law enforcement sector, express their full support for a coherent
and robust data protection framework with strong end enforceable rights for individuals.
They also stress the need for a high level of protection for all data processing activities in the
European Union to ensure more legal certainty, clarity and consistency.
“The protection of personal data is a fundamental right for all Europeans. Opinion polls show
that individuals do not always feel in full control of their data. Policy makers and companies
must therefore do better,” said Vice-President Viviane Reding, the EU’s Justice Commissioner.
“I am glad to see that the European Parliament rapporteurs are supporting the Commission’s
aim to strengthen Europe’s data protection rules which currently date back to 1995 – preInternet age. A strong, clear and uniform legal framework will help unleashing the potential of
the Digital Single Market and foster economic growth, innovation and job creation in Europe.”
In their reports on the Commission’s proposals for a general Data Protection Regulation and a
Directive for the law enforcement sector the Members of the European Parliament support the
proposed package approach. They stress the need to advance negotiations swiftly on both
instruments at the same time.
The European Parliament rapporteurs, building on previous reports by the European Parliament
such as the Axel Voss report (MEMO/11/489), support the objectives of the reform, which
are: to establish a comprehensive approach to data protection, to strengthen online privacy
rights and to do away with the current fragmentation of 27 different national data protection
laws which are costly and burdensome for businesses operating on Europe’s single market.
Some of the amendments which the rapporteurs of the Parliament are proposing in their
reports aim at reinforcing individuals’ rights, including the right to be forgotten.
Some of the key points of the rapporteurs’ reports include:
• The need to replace the current 1995 Data Protection Directive with a directly applicable
Regulation. A single set of rules on data protection, valid across the EU will remove
unnecessary administrative requirements for companies and can save businesses
around €2.3 billion a year.
• The support in principle for the Commission’s proposal to have a “one-stop shop” for
companies that operate in several EU countries and for consumers who want to
complain against a company established in a country other than their own. To ensure
consistency in the application of EU data protection rules, the European Parliament
rapporteur wants to create a powerful and independent EU data protection agency 2
entrusted with taking legally binding decisions vis-à-vis national data protection
authorities.
• Support for the strengthening of users’ rights: they encourage the use by companies
of pseudonymous and anonymous data; they further propose strengthening the
concept of explicit consent for data to be legally processed by asking companies to use
clear and easily comprehensible language (also with regards to privacy policies); the
‘Albrecht-report’ proposes further reinforcing the “right to be forgotten” (the right to
erase one’s data if there are no legitimate grounds to retain it) by asking companies
which have transferred data to third parties without a legitimate legal basis to make
sure these data are actually erased.
• The European Parliament rapporteurs agree with the European Commission’s proposal
that EU rules must apply if personal data of individuals in the EU is handled
abroad by companies which are not established in the Union. According to the
amendments proposed it would be sufficient that a company aims at offering its goods
or services to individuals in the EU. An actual payment from the consumer to the
company is not needed to trigger the application of the data protection regulation.
• The European Parliament rapporteurs stress the need to have independent national
data protection authorities which are well-equipped to better enforce the EU rules at
home. The ‘Albrecht-report’ provides guidance as to the staffing and resourcing of
these authorities and welcomes the Commission’s proposal to empower them to fine
companies that violate EU data protection rules.
• On the delegated acts foreseen in the Regulation (also known as ‘Commission
empowerments’ or acts which ensure that if, in practice, more specific rules are
necessary, they can be adopted without going through a long legislative process): the
European Parliament rapporteur wants to drastically reduce the number of delegated
acts by including, among others, more detailed provisions in the text of the Regulation
itself. The European Commission has recently shown its openness to such an approach
(see SPEECH/12/764).
• On the Directive that will apply general data protection principles and rules to police and
judicial cooperation in criminal matters, the rapporteur agrees with the Commission’s
proposal to extend the rules to both domestic and cross-border transfers of data. The
report also aims to strengthen data protection further by enhancing individuals’ rights,
giving national data protection authorities greater and more harmonised enforcement
powers and by obliging them to cooperate in cross-border cases.
The European Parliament’s LIBE Committee will discuss the draft reports on 10 January.
The European Commission will continue to work very closely with the rapporteurs of the
European Parliament and with the Council to support the Parliament and the Irish EU
Presidency in their endeavour to achieve a political agreement on the data protection reform
by the end of the Irish Presidency.
Background
In the digital age, the collection and storage of personal information are essential. Data is used
by all businesses – from insurance firms and banks to social media sites and search engines.
In a globalised world, the transfer of data to third countries has become an important factor in
daily life. There are no borders online and cloud computing means data may be sent from
Berlin to be processed in Boston and stored in Bangalore.
74% of Europeans think that disclosing personal data is increasingly part of modern life, but at
the same time, 72% of Internet users are worried that they give away too much personal
data. They feel they are not in complete control of their data. Fading trust in online services
and tools holds back the growth of the digital economy and Europe’s digital single market. 3
On 25 January 2012 the European Commission proposed a comprehensive reform of the EU’s
1995 data protection rules to strengthen online privacy rights and boost Europe’s digital
economy. The Commission’s proposals update and modernise the principles enshrined in the
1995 Data Protection Directive to bring them into the digital age. They include a proposal for a
Regulation setting out a general EU framework for data protection and a proposal for a
Directive on protecting personal data processed for the purposes of prevention, detection,
investigation or prosecution of criminal offences and related judicial activities (IP/12/46).
The Commission proposals follow up on the European Parliament report by Axel Voss
(MEMO/11/489) which called on the Commission to reform European data protection rules.
The right to the protection of personal data is explicitly recognised by Article 8 of the EU’s
Charter of Fundamental Rights and by the Lisbon Treaty. The Treaty provides a legal basis for
rules on data protection for all activities within the scope of EU law under Article 16 (Treaty on
the Functioning of the European Union).