European Parliament Votes In Favor Of General Data Protection Regulation And Threatens Suspension Of Data Transfers To U.S.


On March 12, 2014, the European Parliament resoundingly voted for the EU General Data Protection Regulation ("Regulation") proposed by the EU Commission on January 25, 2012.1 The Parliament largely backed the report on and proposed amendments to the Regulation that the Committee for Civil Liberties, Justice and Home Affairs ("LIBE") of the European Parliament adopted in October 2013. The Regulation as amended by the LIBE Committee could seriously affect companies operating in the EU. It requires inter alia:

Antitrust-Like Fines. The Regulation increases the fining powers of authorities, such that fines can go up to the higher of €100 million or 5 percent of annual worldwide turnover (i.e., sales) in the case of an enterprise, instead of €1 million or 2 percent of annual worldwide turnover as proposed by the Commission.

Extended Territorial Scope. The Regulation would be applicable to a controller not established in the EU when its processing activities are related to either offering goods or services to individuals in the EU (irrespective of whether payment is required) or monitoring individuals in the EU.

Limitation on Legal Process Outside the EU. The Parliament added a provision stating that no third-country court judgment or administrative decision that requires disclosure of personal data will be recognized or enforced (except under international agreement). Where such a request is made to a controller, it must obtain prior authorization from the supervisory authority to transfer or disclose the data. The relevant data subjects must also be informed.

Data Protection Officers ("DPOs"). The controller and the processor must designate a DPO in cases in which processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period. This is a shift from the criterion of the number of employees (at least 250) suggested by the Commission. As a consequence, large companies with low data processing activities can be exempted, while small "Big Data" companies can be covered. DPOs are appointed for at least four years (in the case of employees) or two (in the case of external contractors).

This plenary vote means that the position of the EU Parliament will not change even if its membership changes as a result of the European elections in May 2014. However, in order for the Regulation to become law, it must also be adopted by the European Council, made up of all 28 EU Member States. Because the...

To continue reading