EU Justice Commissioner Viviane Reding says the vote makes EU data protection reform “irreversible”

The European Parliament voted Wednesday with overwhelming support for the proposed European General Data Protection Regulation. The procedural move ensures that the regulation, which has been in legislative process for more than two years, stays on the table, even after this May’s parliamentary elections.

In approving the regulation, Members of Parliament (MEPs) also strengthened some of the data protection amendments in the proposal and backed a resolution calling for the suspension of the Safe Harbor agreement with the U.S.

“I have a clear message to the council: Any further postponement would be irresponsible,” said Jan Philipp Albrecht, the rapporteur for the regulation. “The citizens of Europe expect us to deliver a strong EU-wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them.”

EU Justice Commissioner Viviane Reding also voiced strong support for the vote. “The message the European Parliament is sending is unequivocal: This reform is a necessity and now it is irreversible.” She also said the vote “will make life easier for business and strengthen the protection of our citizens.”

In the vote, which followed a plenary debate, the European Parliament strengthened protections around data transfers of EU citizens’ data to non-EU countries; increase the potential fines to firms in breach of the regulation to €100 million, or five percent of global turnover, and ensure EU citizens have a right to be forgotten and to not be profiled.

Moving ahead, the European Parliament now waits on the Council of the EU to define its position. Once it has done so, both sides can negotiate.

For more information on EU data protection reform take a look at Close-Up: EU Data Protection Reform in the IAPP Resource Center.

In comments provided to Privacy Tracker, Monika Kuschewsky, special counsel at Covington & Burling, said, “The vote sends a strong signal in support of the proposed General Data Protection Regulation to the council, which still has not agreed on a common position. The ball is now in the council’s court.”

According to a European Commission press release, to become law, the proposed regulation must be adopted by the Council of Ministers using the “ordinary legislative procedure.” Ministers met on March 4 to discuss the reform and “broadly supported the principle that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full.”

The next meeting of the ministers is expected to take place in June.

European data protection expert and privacy lawyer Eduardo Ustaran, CIPP/E, who also shared an analysis of the vote last October here, told Privacy Tracker, “On the whole, the EU Parliament's text represents a powerful statement in favour of people's ability to control their own data. The Parliament has carefully refined the data protection rights of individuals by trying at all times to put people in a position of power in terms of the uses made of their data.”

Ustaran also added, “by reinforcing the so-called accountability principle by requiring the adoption and regular review (every two years) of compliance policies and procedures, and by bolstering new principles like data protection by design and by default, establishing brand new obligations such as the requirement to carry out risk assessments of most processing operations and ongoing data protection compliance reviews, as well as requiring the compulsory appointment of data protection officers, the cost of compliance will significantly increase.”

In predicting the arc of data protection reform in Europe over the next year, things look to remain dicey, overall.

Ustaran said, “Of course, now it is up to the Council of the EU to soften these provisions with a view to adopting a less stringent law within a year or so from now.”

He also took to Twitter to voice his predictions: