Out-Law News 3 min. read

Committee of MEPs back stiffer sanctions for data protection law breaches


Businesses operating within the EU face fines of up to 5% of their annual global turnover, or €100 million if greater, if they breach data protection laws under draft proposals backed by a committee of MEPs.

On Monday evening the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee voted to approve reforms to EU data protection rules in a move that has been welcomed by the EU's Justice Commissioner and privacy watchdogs the Article 29 Working Party and European Data Protection Supervisor. 

The proposals backed by LIBE are still subject to change, as EU member states, through the Council of Ministers, have been drafting their own wording for a General Data Protection Regulation through a separate process. Once the Council of Ministers reaches agreement on its draft it will negotiate with the Parliament over a single set of rules. The European Parliament and the EU Ministers would then have to vote to approve that wording before the reforms could come into force. 

A draft Regulation was first proposed by the European Commission in January 2012 and, if introduced, would create a single, harmonised, data protection regime across the EU. At the moment there are differences in the way individual countries within the trading bloc have implemented and interpret the Data Protection Directive that is currently in force. 

The Regulation would apply to companies with a base inside the EU, even if they process personal data outside of the area, and also to companies based outside of the EU if they are processing personal data in order to offer goods or services to individuals within the EU or to monitor those individuals' behaviour, according to the proposals supported by LIBE. 

Under the LIBE draft, businesses face being issued with "effective, proportionate and dissuasive" sanctions if they breach the Regulation.

 Data protection authorities would be obliged to at the very least issue a warning to businesses that breach the Regulation for the first time or which have engaged in "non-intentional non-compliance". In other cases the businesses could be forced to open themselves up to regulator data protection audits, or they could be fined up to €100m or 5% of their annual global turnover for a failure to "comply with the obligations" laid out under the new framework. 

Businesses will be able to obtain a certification from DPAs that their processing of personal data is compliant with the Regulation, under the LIBE plans. Businesses that are issued with a valid 'European Data Protection Seal' would face immunity from fines for breaches of the Regulation unless the breach was "intentional" or involved "negligent incompliance". 

When determining whether and to what extent to fine businesses, DPAs will be required to consider a range of factors, such as "the nature, gravity and duration of the incompliance", the damage suffered by individuals and any financial benefits companies have derived from the breach, as well as the "degree of technical and organisational measures and procedures" businesses have put in place to observe rules relating to privacy by design and secure processing. 

Under the LIBE-backed proposals, businesses seeking to rely on the permission of individuals to process their personal data would face restrictions on how far that consent would apply. 

"Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist or as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were originally collected," according to one of the compromise amendments voted through by LIBE and seen by Out-Law.com. 

The LIBE committee has also backed draft rules that would require companies to obtain regulatory approval to transfer personal data outside of the EU to countries that have not been approved as having adequate data protection measures in place. A number of legal mechanisms and safeguards could be adopted to permit the transfer to take place without the need for approval, however. 

The committee has, though, backed rules that would force companies to obtain the approval of DPAs to transfer the personal data of EU citizens' personal data to third countries where a court or administrative authority in a third country has ordered that disclosure. 

Businesses would have to tell individuals that their data was subject to request from the third country court or authority unless EU or member state law bans such notification so as to safeguard public security or the prevention, investigation, detection and prosecution of criminal offences, or in line with other listed exceptions. 

"Parliament now has a clear mandate to start negotiations with EU governments," Jan Philipp Albrecht, rapporteur on the data protection reforms for LIBE, said in a statement. "The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens' interests and deliver an urgently-needed update of EU data protection rules without delay." 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.