On Monday, October 21, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to approve an amended version of the proposed EU General Data Protection Regulations. Included in the compromise package is Article 43a, a provision that restricts controllers or processors of EU data from disclosing that data to third-country administrative or judicial authorities. Under proposed Article 43a, if a third-country authority asks a company to disclose EU data, that company must seek permission from the relevant European national data protection authority and inform the data subject of the disclosure.
If ultimately enacted, this requirement could leave many U.S. businesses, which hold data of EU nationals, facing a very difficult choice: (1) violate U.S. law by not complying with a demand from US law enforcement authorities; or (2) violate EU law and face stiff penalties (increased under Article 79 of the most recent proposed regulations to as high as the greater of €100 million or 5% of a company’s annual worldwide turnover). Ultimately, this conflict of laws could have severe consequences for Inter-Atlantic trade. Many routine business interactions between U.S. and EU companies (e.g. the processing of online sales transactions) could potentially be impacted.
Article 43a appears to be in reaction to the National Security Administration’s (NSA) PRISM program, which was recently brought to light by Edward Snowden. LIBE member Jan-Phillip Albrecht, who introduced the compromise package, confirmed the influence of the NSA’s program on the amendments, stating:
Whistleblower Edward Snowden and the Prism scandal laid the ground for the report’s demand: companies like Google are not allowed to transfer data to third countries´ authorities. This can only occur under European law or an agreement based on European law. Without any concrete agreement there would be no data processing by telecommunication and internet companies allowed. This was part of a first draft of the Commission’s proposal but deleted after intensive lobbying of the American government. It is back in the draft Parliament report.
Whether Article 43a and the rest of the compromise package comes into force remains to be seen. Parliament’s next step is to negotiate the proposal with the member states and EU Council. Parliament’s goal is to reach agreement with the Council before the next European Elections in May of 2014. If adopted, the member states would then have 2 years to pass their own laws implementing the directive.