European Parliament Votes in Favor of General Data Protection Regulation and Threatens Suspension of Data Transfers to U.S.

On March 12, 2014, the European Parliament resoundingly voted for the EU General Data Protection Regulation ("Regulation") proposed by the EU Commission on January 25, 2012.[1] The Parliament largely backed the report on and proposed amendments to the Regulation that the Committee for Civil Liberties, Justice and Home Affairs ("LIBE") of the European Parliament adopted in October 2013. The Regulation as amended by the LIBE Committee could seriously affect companies operating in the EU. It requires inter alia:

Antitrust-Like Fines. The Regulation increases the fining powers of authorities, such that fines can go up to the higher of €100 million or 5 percent of annual worldwide turnover (i.e., sales) in the case of an enterprise, instead of €1 million or 2 percent of annual worldwide turnover as proposed by the Commission.

Extended Territorial Scope. The Regulation would be applicable to a controller not established in the EU when its processing activities are related to either offering goods or services to individuals in the EU (irrespective of whether payment is required) or monitoring individuals in the EU.

Limitation on Legal Process Outside the EU. The Parliament added a provision stating that no third-country court judgment or administrative decision that requires disclosure of personal data will be recognized or enforced (except under international agreement). Where such a request is made to a controller, it must obtain prior authorization from the supervisory authority to transfer or disclose the data. The relevant data subjects must also be informed.

Data Protection Officers ("DPOs"). The controller and the processor must designate a DPO in cases in which processing is carried out by a legal person and relates to more than 5,000 data subjects in any consecutive 12-month period. This is a shift from the criterion of the number of employees (at least 250) suggested by the Commission. As a consequence, large companies with low data processing activities can be exempted, while small "Big Data" companies can be covered. DPOs are appointed for at least four years (in the case of employees) or two (in the case of external contractors).

This plenary vote means that the position of the EU Parliament will not change even if its membership changes as a result of the European elections in May 2014. However, in order for the Regulation to become law, it must also be adopted by the European Council, made up of all 28 EU Member States. Because the Council has not yet agreed upon a common position on the reform of data protection law, it is doubtful that the Regulation will be adopted this year.

Safe Harbor Suspension

On March 12, 2014, the European Parliament passed a resolution describing its findings and recommendations following a six-month investigation by the LIBE Committee into mass surveillance schemes carried out by the U.S. This resolution calls for the suspension of the U.S.-EU Safe Harbor Framework unless the U.S. satisfies the concerns of the EU Parliament. The EU Parliament further threatened to withhold its consent to the final Transatlantic Trade and Investment Partnership ("TTIP")[2] deal with the U.S. The Safe Harbor scheme and TTIP are key elements promoting free data flows between the U.S. and EU.

Although the Parliament's resolution cannot invalidate the Safe Harbor Framework, it increases the political pressure on the EU Commission as it reconsiders the Safe Harbor Framework. In November 2013, the Commission issued 13 recommendations to improve the functioning of the Safe Harbor scheme, and it called upon U.S. authorities to identify remedies to perceived defects by summer 2014,[3] at which time the Commission plans to review the Safe Harbor scheme generally.

While an immediate suspension of the Safe Harbor Framework seems unlikely, companies should closely monitor the developments and be prepared for heightened Safe Harbor requirements.

Lawyer Contacts 

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com. 

Laurent De Muyter
Brussels
+32.2.645.15.13
ldemuyter@jonesday.com

Jonathon Little
London
+44.20.7039.5224
jrlittle@jonesday.com

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Katherine S. Ritchey
San Francisco
+1.415.875.5728
ksritchey@jonesday.com

Gregory P. Silberman
Silicon Valley
+1.650.739.3954
gpsilberman@jonesday.com

Dr. Undine von Diemar
Munich
+49.89.20.60.42.200
uvondiemar@jonesday.com

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.