MEPs approve new rules to modernise EU data protection

23 Oct 2013 | News
A single European law will see greater protection for consumers, but raises concerns for medical research and digital companies. And an EU-controlled gateway will be set up to police international exchange of data

A major overhaul of EU data protection is on its way after MEPs in the European Parliament’s Civil Liberties Committee (LIBE) voted through new rules this week. The measure, which is expected to be formally approved by May 2014, will require companies to obtain explicit consent before handling a person’s data, as well as giving individuals the right to have their data deleted on request and imposing restrictions on transmitting data outside the EU.  The vote, the first revision to Europe’s data laws since 1995, “Is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age,” said Jan Philipp Albrecht, MEP and Rapporteur for the regulation. As well as modernising the rules, the regulation will replace the individual laws of the 28 EU states with one uniform piece of legislation.

In response to the revelation in June 2013 that US intelligence services have been monitoring European citizens, MEPs have inserted a new rule on transferring data outside the EU.  Any search engine or social network – such as Google or Facebook – or any other company processing personal information in the EU, will have to seek authorisation from a European national data protection authority before transmitting data to a non-EU country. Companies will also have to inform the individual concerned, MEPs say.

Making data rules workable

The Commission says the change to a single, pan-European law for data protection will save companies an estimated €2.3 billion per year, but the reception from interest groups has been less positive. The Industry Coalition for Data Protection (ICDP), representing companies in the digital sector, said considerable improvements to the text will be necessary, “to deliver a framework that is workable across all EU member states and implementable by the vast range of industries operating in Europe.” 

National governments must now reach a position on the regulation, which they hope to achieve at this week’s summit in Brussels, before negotiations can begin between the institutions.

Explicit consent
Personal data can be processed lawfully in a number of scenarios, including where the individual has given their consent. Under current rules, this consent needs to be “unambiguous” but that standard will now be raised to “explicit” consent, evidenced either by a statement or by a clear affirmative action, for example ticking a consent box.

Withdrawing consent must be as easy as giving it, MEPs say, and individuals must be able to withdraw their consent at any time. Companies will not be able to make consent a condition of the provision of a service or a contract, unless the processing of personal data is strictly needed for the completion of that contract or service. The consent loses its effect as soon as the processing of personal data is no longer needed for the initial purpose for which they were collected.

Explicit consent will also be necessary for the processing of personal data for scientific research, a requirement that has sparked concern among medical researchers. There will be limited exceptions where the research serves a high public interest, but even then, the data must be either anonymised or pseudonymised under the highest technical standards, with measures to prevent the re-identification of individuals. The PHG Foundation, a UK-based health policy think-tank, said the rules in their current form, “Could significantly inhibit medical research including many large scale genomics projects.” 

Right to erasure

MEPs voted to give individuals the right to demand the deletion of their personal data under a new “right to erasure”. This is an extension of the existing right to demand the deletion of inaccurate, incomplete or unlawfully processed data. An onus will be placed on businesses, if data that has been made public, to forward the deletion request to third parties with links or copies of the information. 

Under the Commission’s proposal this new protection was named the “right to be forgotten” – a title received very poorly by industry. MEPs changed the label to “right to erasure”, following consultations with technology companies, which made it clear that it would be impossible to entirely remove someone's traces from the Internet. 

This right will be restricted in some cases, for instance when the retention of personal data is necessary to fulfil a contract or is required by law. Exemptions also exist for historical, statistical and scientific research purposes, for public health reasons or to exercise the right to freedom of expression. 

The Standing Committee of European Doctors (CPME), representing Europe’s national medical associations, say the exemptions should be extended to cover health purposes in general, and not just public health. “The adopted text does not foresee any exemption to the right to be forgotten for purposes of preventive or occupational medicine, medical diagnosis, provision of care or treatment or the management of healthcare,” said Katrín Fjeldsted, President of CPME.

In their current form the rules mean that, “Doctors might simply no longer be able to access their patients' medical records,” Fjeldsted warned. “This is extremely dangerous and will no doubt harm patients sooner or later,” she said.

Limits on profiling

MEPs also set limits to profiling, whereby companies exploit mountains of personal data to analyse and predict someone’s behaviour and preferences. New rules would mean that profiling is only allowed under defined circumstances: when the person has consented, when provided by law, or when needed to pursue a contract.

Ecommerce Europe, which represents online retailers, says this opt-in approach is unnecessary, “Legitimate profiling is not a harmful activity, but a tool used by organisations in every market segment, including commercial and non-profit, in pursuit of a legitimate business interest.” The focus should be on profiling activities which have negative or adverse effects on privacy, Ecommerce Europe says.

Cost of non-compliance

In a sign of the political importance recently acquired by data protection, MEPs have opted to impose harsher fines than those proposed by the Commission. Companies now face fines of up to €100 million or five per cent of annual worldwide turnover, whichever is greater, up from €1 million or two per cent of worldwide annual turnover, in the original proposal.

For less serious breaches, data protection authorities may issue a written warning, or impose regular data protection audits. 

Never miss an update from Science|Business:   Newsletter sign-up