EP adopts the Data Protection Reform Package

10:01am | 12 March 2014 | by Patrizia Simone, Estelle Masse, Raegan MacDonald


Today, the European Parliament adopted the Data Protection Regulation and Directive, commonly referred to as the Data Protection Reform Package (DPR). This vote represents another crucial step towards protecting European user data and the completion of the long-awaited reform proposed by the European Commission back in January 2012.

Europe’s existing data protection framework dates back to 1995, a time when only 1% Europeans could access the internet. The DPR aims to modernise existing legislation and harmonise the confusing array of legislation across the E.U. and put into law Europeans' fundamental right to data protection.  

The DPR introduces improved protections and controls on data portability, explicit consent, and privacy by design and by default. The reform also strengthens data protection authorities’ power to ensure compliance with the law, imposing stiff fines on companies in violation of the law.


While major improvements were made to the original text, the regulation adopted today by Parliament still includes dangerous loopholes that put European data protection at risk. For example, the regulation allows companies to process personal data and create user profiles (e.g. for marketing reasons) without individual consent, provided that the data remains pseudonymous. Although the European Parliament understands pseudonymous to mean ‘not directly related to you,’ the reality of the era of big data means that as few as two datasets, when analysed together, can easily determine an individual’s identity.


Under the new regulation companies can also process and utilise user data without consent if its within their “legitimate interest,” a vaguely defined term that gives permission to data controllers to share your information with “third parties.” Through this weak safeguard, the company must determine if its actions are in line with the user’s “reasonable expectations,” a phrase close to meaningless in our ever-changing digital environment.


After today, the DPR is in the hands of the Council of the European Union. Until recently progress there has been painfully slow, in part due to efforts by certain member states—namely Germany and the U.K.—to obstruct negotiations. However last week the Council finally started making progress, and is on track to adopt its own, final position later this summer, with Council representatives expected to look into the provisions on “pseudonymisation” during their next meeting in June.


Next steps

With the DPR process now in the hands of the Council, it is up to its representatives to close the final loopholes. Access, along with a coalition of international NGOs, submitted a public letter, calling for an end to unnecessary delays on the file and a constructive working progress  to strengthen the rights of citizens. The Council is now expected to conclude an agreement by Summer 2014 in order to complete the Data Protection Reform by the end of this year (as recommended in the LIBE report on mass surveillance revelations, also adopted by the Parliament today). After two years of negotiations in the E.U. institutions, it is high time to finalise this reform and provide E.U. citizens with the high standards for data protection they have been asking for, without further delays.


In today’s pervasive online environment, where vast amount of personal data are transferred and exchanged around the world, it is increasingly difficult for citizens to maintain control over their personal information. Today the European Parliament took positive steps towards increasing data protection standards for E.U. citizens. However, this reform process is only as strong as its weakest links: Despite some improvements to the Commission’s initial proposal, the adopted text contains provisions that undermine the strength of the overall proposal.


The Regulation adopted today could very well become an international standard for the protection of personal data. The E.U. has historically been a global standard setter for privacy and data protection, as companies around the world must comply with the European framework in order to do business. This is an opportunity for standards for data rights to improve around the world.


Stay tuned for more information on the negotiation process of this file in the Council.