European Parliament Votes to Approve New EU Data Protection Regulation and Immediate Suspension of Safe Harbor

The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).

According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”

EU Data Protection Regulation

The Regulation was originally published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history. On October 22, 2013 the LIBE Committee voted on the Regulation, adopting all amendments. Once passed into legislation, the Regulation will have a significant impact on governments, businesses and individuals for the rest of this decade and beyond.

In order for the Regulation to become law, it must be adopted by both EU Member State representatives in the EU Council of Ministers as well as by the European Parliament and the European Commission. The vote on March 12, 2014 now confirms the position of the Parliament, and means the Parliament is ready to negotiate the final text of the Regulation with the EU Council and so brings the Regulation significantly closer to becoming finalized.

However, the Council of Ministers have recently lengthened the legislative process by failing to commit to a spring 2014 deadline to complete negotiations and backtracking on a tentative commitment to support the vital “one stop shop” mechanism that would allow multinational companies to deal with only one EU Data Protection Authority. The Council is now expected to finalize its position after the European elections in May, with the aim of finalizing the Regulation with the European Parliament and the European Commission by the end of 2014.

The main elements of the proposed Regulation include among others:

  • Enforcement: significant fines for non compliance with the proposed Regulation of up to 5% of annual worldwide turnover or €100 million whichever is the greater.
  • Scope of Regulation: a broad extra-territorial application to businesses established in the EU but also to businesses outside the EU that offer goods or services to European customers and process their personal data.
  • Profiling: significantly for online companies under the Regulation, every individual will now have a general right to object to profiling with businesses having an obligation to inform individuals about the right to object to profiling in a “highly visible manner.”
  • Explicit Consent: consent for processing of personal data should be explicit with affirmative action required under the proposed Regulation.
  • Right of Erasure: in the latest amendments the “Right to be Forgotten” has been replaced by a “Right of Erasure” giving individuals a right to have their personal data erased where the data is no longer necessary or where they withdraw consent.
  • Accountability: businesses will be required to adopt all reasonable steps to implement compliance procedures and policies that respect the choices of individuals which should be reviewed every two years. Businesses will also need to implement privacy by design, keep detailed documentation, carry out privacy impact assessments and appoint data protection officers.

EU Resolution calling, inter alia, for the immediate suspension of Safe Harbor

On February 21, 2014, the LIBE Committee formally adopted the Resolution, responding to the U.S. NSA surveillance program, as well as surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation.

The Resolution sets out a series of radical recommendations to limit access to personal data of European citizens as part of mass surveillance. The Resolution indicates that the LIBE Committee intends to submit the recommendations in the Resolution to EU citizens, European Institutions and Member States after the European Parliamentary elections in May 2014. The recommendations would form part of a priority plan involving the creation of a European Digital Habeas Corpus for protecting privacy.

However, it is likely that the Resolution will encounter opposition from the European Commission in the coming months. The Commission has already rejected a push to suspend the Safe Harbor, stating in its November 2013 report entitled “Restoring Trust in EU-U.S. Data Flows” that the Safe Harbor should be allowed to continue as long as the U.S. takes certain steps laid out by the Commission to increase transparency and oversight.

A summary of some of the main recommendations in the Resolution include among others:

International transfers of data

Safe Harbor

  • Calls on the European Commission to immediately suspend Commission Decision 520/2000 which approved the Safe Harbor privacy principles and related FAQs issued by the U.S. Department of Commerce;
  • Calls on U.S. authorities to put forward a proposal for a new framework for transfers of personal data from the EU to the U.S. which meets EU data protection requirements; and
  • Calls on EU Data Protection Authorities to suspend data flows to an organization that has self-certified its adherence to the U.S. Safe Harbor Principles and to require that such data flows are carried out only under other instruments such as the EU’s contractual clauses.


  • Calls on the U.S. authorities and the EU Member States to prohibit blanket mass surveillance activities.
  • Calls on the U.S. to revise its legislation so that it is in line with the Committee’s view of international law and expressly recognizes the privacy and other rights of EU citizens.

EU IT Security

  • Calls on the Commission, standardization bodies and ENISA (European Network and Information Security Agency), by December 2014, to develop minimum security and privacy standards and guidelines for IT systems, networks and services, including cloud computing services, in order to better protect EU citizen’s personal data and the integrity of all IT systems.

The votes by the European Parliament on the Regulation and the Resolution are significant as they set out the firm position of the Parliament. It will now be key for businesses to follow closely how the discussions between the Parliament, the EU Council of Ministers and the European Commission develop over the next few months as the final outcome on the Regulation and the Resolution could have a profound impact on businesses both in the EU, in the U.S. and more internationally for years to come.

If you have any questions regarding this update, please contact the following or the Sidley lawyer with whom you usually work:

William Long

John Casanova

Alan Charles Raul

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.