A major overhaul of EU data protection is on its way after MEPs in the European Parliament’s Civil Liberties Committee (LIBE) voted through new rules this week. The measure, which is expected to be formally approved by May 2014, will require companies to obtain explicit consent before handling a person’s data, as well as giving individuals the right to have their data deleted on request and imposing restrictions on transmitting data outside the EU. The vote, the first revision to Europe’s data laws since 1995, “Is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age,” said Jan Philipp Albrecht, MEP and Rapporteur for the regulation. As well as modernising the rules, the regulation will replace the individual laws of the 28 EU states with one uniform piece of legislation.In response to the revelation in June 2013 that US intelligence services have been monitoring European citizens, MEPs have inserted a new rule on transferring data outside the EU. Any search engine or social network – such as Google or Facebook – or any other company processing personal information in the EU, will have to seek authorisation from a European national data protection authority before transmitting data to a non-EU country. Companies will also have to inform the individual concerned, MEPs say.
Making data rules workableThe Commission says the change to a single, pan-European law for data protection will save companies an estimated €2.3 billion per year, but the reception from interest groups has been less positive. The Industry Coalition for Data Protection (ICDP), representing companies in the digital sector, said considerable improvements to the text will be necessary, “to deliver a framework that is workable across all EU member states and implementable by the vast range of industries operating in Europe.”
National governments must now reach a position on the regulation, which they hope to achieve at this week’s summit in Brussels, before negotiations can begin between the institutions.
Right to erasure
Under the Commission’s proposal this new protection was named the “right to be forgotten” – a title received very poorly by industry. MEPs changed the label to “right to erasure”, following consultations with technology companies, which made it clear that it would be impossible to entirely remove someone's traces from the Internet.
The Standing Committee of European Doctors (CPME), representing Europe’s national medical associations, say the exemptions should be extended to cover health purposes in general, and not just public health. “The adopted text does not foresee any exemption to the right to be forgotten for purposes of preventive or occupational medicine, medical diagnosis, provision of care or treatment or the management of healthcare,” said Katrín Fjeldsted, President of CPME.
MEPs also set limits to profiling, whereby companies exploit mountains of personal data to analyse and predict someone’s behaviour and preferences. New rules would mean that profiling is only allowed under defined circumstances: when the person has consented, when provided by law, or when needed to pursue a contract.
Cost of non-compliance