EU Data Protection Regulation – Takes a Large Step Forward

By Kevin Bailey, Head of Market Strategy

Following a heated debate yesterday, albeit in a rather empty EU parliament chamber, the European Parliament today cemented the strong support previously given at committee level to the European Commission's data protection reform; voting in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive.

This means that once the regulation is passed, following two more votes of all member states (28 countries), there will be greater enforcement of the use around Personal Identifiable Information (PII) by law within the EU.

The European Commission's data protection reform is believed to help the digital single market through three main innovations:

  1. One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
  2. One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
  3. The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than their competitors established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules.


A small advertising company wants to expand its activities from Spain to Italy. Its data processing activities are currently subject to a separate set of rules in Italy and the company will have to deal with a new regulator. The costs of obtaining legal advice and adjusting business models in order to enter this new market may be prohibitive. For example, some Member States charge notification fees for processing data. While the fee in Spain is zero, in Italy notification costs €150. The Commission's proposal will scrap all notification obligations and the costs associated with these. The aim of the data protection regulation is to remove obstacles to cross-border trade.

Why is this important to organizations? 

The new law, yes law not directive, means that all businesses within the 28 European member states have to comply with the regulation and anyone who does not comply with the obligations laid down in this Regulation will be subject to the supervisory authority imposing at least one of the following sanctions:

  • A warning in writing in cases of first and non-intentional non-compliance;
  • Regular periodic data protection audits;
  • A fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater.

The rules will also be flexible

The EU rules will adequately and correctly take into account risk. They want to make sure that obligations are not imposed except where they are necessary to protect personal data: so, the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and to the nature of the data being processed. For example, SMEs will not be fined for a first and non-intentional breach of the rules.

An understanding of what information a business manages, the [authorized] sharing of information and the appointment of a Data Protection Officer (DPO) are a few of the changes organizations need to introduce or enhance. No longer will an inoperative set of published policies, processes and procedures previously agreed on a tick box audit be substantive enough to pass accreditation of the regulation. This means that organization’s information governance strategy and the prevention of unauthorized data access and sharing need to be operational.

Why is of this important to EU Citizens?

The right to be forgotten builds on already existing rules to better cope with data protection risks online. It is the individual who should be in the best position to protect the privacy of their data by choosing whether or not to provide it. It is therefore important to empower EU citizens, particularly teenagers, to be in control of their own identity online. If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from the system.

But, the right to be forgotten is of course not an absolute right.

The data subject (EU Citizen) shall have the right to obtain from the controller (organization) the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data, where one of the following grounds applies:

  1. The data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  2. The data subject withdraws consent on which the processing is based or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
  3. The data subject objects to the processing of personal data pursuant to Article 19;
    a. A court or regulatory authority based in the Union has ruled as final and absolute that the data concerned must be erased;
  4. The data has been unlawfully processed.

Most authorities do not believe this will become law until either late 2014 or early 2015 due to the new European parliament elections happening in May 2014, but there will be greater noise in the market around this regulation as all organizations from the smallest start-up to the largest Corporates start to plan their frameworks to keep the ICO from their doors.