Directive to send strong signal on data protection
Since revelations by Edward Snowden, MEPs increased protection on access to data
“With a large majority vote, @Europarl_EN committee has sent a strong signal tonight: as of today data protection is made in #Europe. ”
With that tweet – immediately after the important European Parliament civil liberties committee vote on Monday night – the European justice commissioner Viviane Reding gave a thumbs up to the latest negotiating stage for the reformed data protection directive that she introduced nearly two years ago.
The proposed directive was a major focus of Ireland’s recent stint in the EU presidency, when Reding praised efforts by the Government here to push through initial discussion and reform. Some 4,000 amendments to Reding’s original legislation, many of them hammered out in Ireland, were approved by a surprisingly swift and almost unopposed 49-3 vote (with one abstention).
In the wake of whistleblower Edward Snowden’s revelations about US National Security Agency spying, MEPs chose to sharpen protections on third-party access to data, while holding companies that divulge personal data accidentally or deliberately, to increased sanctions and fines.
A parliament statement noted: “Responding to mass surveillance cases, MEPs inserted stronger safeguards for data transfers to non-EU countries.”
German MEP Jan Philipp Albrecht, who as rapporteur led the committee negotiations on the directive, said at a press conference: “In the future, only EU law will be applicable when citizens’ data in the EU will be used, independently of where the company using the data is based, be it in Germany, Ireland or the US.”
Legislators also added an explicit consent requirement for gathering and using data, and a “right to erasure”.
All of these elements are likely to make companies far more cautious about how they manage data.
“Europe is setting the data- protection agenda, and maybe the benchmark, and the rest of the world will have to follow,” says John O’Connor, partner and head of the technology and commercial contracts group at Dublin legal firm Matheson.
Many of the US technology companies most likely to be directly affected by the draft directive’s provisions on handling personal data, including most named as part of the US NSA’s secret Prism data- gathering initiative, have their European base in Ireland and will no doubt be closely watching discussions.
O’Connor says that under the approved proposals, data protection is being shifted from a relatively low-level compliance issue to a board- level, high priority risk concern. “Corporations have known for years that sanctions for non-compliance with data protection have been incredibly low. That has really changed.”
While the draft will now go back to the parliament as well as the 28 member states for further discussion, and almost certainly further revision, O’Connor feels that post- NSA, increased sanctions for data breaches as well as the “right to erasure” of personal data are likely to remain as part of the final directive.
The right to erasure is a watering down of Reding’s proposed “right to be forgotten”, as organisations will only be expected to remove data if – within certain constraints – it doesn’t infringe on freedom of information or personal expression.
However O’Connor notes that in recent months it had appeared as if politicians would remove the controversial right entirely. Many businesses, especially US internet search and social media companies, had complained it would be expensive and potentially difficult to implement.