Authored by Gerald Ferguson and Alan M. Pate

On Monday, October 21, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to approve an amended version of the proposed EU General Data Protection Regulations.  Included in the compromise package is Article 43a, a provision that restricts controllers or processors of EU data from disclosing that data to third-country administrative or judicial authorities. Under proposed Article 43a, if a third-country authority asks a company to disclose EU data, that company must seek permission from the relevant European national data protection authority and inform the data subject of the disclosure.

If ultimately enacted, this requirement could leave many U.S. businesses, which hold data of EU nationals, facing a very difficult choice: (1) violate U.S. law by not complying with a demand from US law enforcement authorities; or (2) violate EU law and face stiff penalties (increased under Article 79 of the most recent proposed regulations to as high as the greater of €100 million or 5% of a company’s annual worldwide turnover). Ultimately, this conflict of laws could have severe consequences for Inter-Atlantic trade.  Many routine business interactions between U.S. and EU companies (e.g. the processing of online sales transactions) could potentially be impacted.

Article 43a appears to be in reaction to the National Security Administration’s (NSA) PRISM program, which was recently brought to light by Edward Snowden. LIBE member Jan-Phillip Albrecht, who introduced the compromise package, confirmed the influence of the NSA’s program on the amendments, stating:

Whistleblower Edward Snowden and the Prism scandal laid the ground for the report’s demand: companies like Google are not allowed to transfer data to third countries´ authorities. This can only occur under European law or an agreement based on European law. Without any concrete agreement there would be no data processing by telecommunication and internet companies allowed. This was part of a first draft of the Commission’s proposal but deleted after intensive lobbying of the American government. It is back in the draft Parliament report.

If ultimately approved by European Parliament (and its 28 Member States), Article 43a could effectively nullify the U.S.-EU Safe Harbor Framework currently in place.  Under the Framework today, U.S. businesses may process the data of EU nationals if they adhere to seven privacy principles, memorialize this in a public privacy policy, and then self-certify with the U.S. Department of Commerce. U.S. Businesses certified under the Framework are then deemed to have “adequate” data protection practices under the European Commission’s 1998 Directive on Data Protection.  The text of Article 43a (not yet officially published but leaked prior to the vote) does not explicitly mention the interaction it would have with the U.S.-EU Safe Harbor Framework, but when read strictly, it effectively renders the Framework meaningless.  U.S. businesses, in complying with domestic legal obligations to turn over EU nationals’ data to the NSA or other government agencies, would be in violation of EU law regardless of whether or not they complied with the privacy principles set out in the Framework.

Whether Article 43a and the rest of the compromise package comes into force remains to be seen.  Parliament’s next step is to negotiate the proposal with the member states and EU Council. Parliament’s goal is to reach agreement with the Council before the next European Elections in May of 2014.   If adopted, the member states would then have 2 years to pass their own laws implementing the directive.