Skip to main content

The View from London: European Parliament Publishes Proposal for Revised Draft of EU Data Protection Regulation

Written by Susan Foster

The European Parliament recently published a report on the European Commission’s draft of a new EU Data Protection Regulation.  The report, which includes the European Parliament’s proposal for a revised draft of the Regulation runs to an astounding 215 pages.  The Parliament’s report is certain to fuel debate for months as industry readers and other stakeholders parse the proposed changes.

Many of the changes proposed by the Parliament substantially increase the burden on businesses by tightening up existing bases for using personal data.  The treatment of user consent is particularly alarming.  The Commission had originally proposed that companies would not be able to rely on consent where there was an “clear imbalance” of power between the data controller and the data subject, citing as an example an employer-employee relationship.  The Parliament proposes to expand this to situations where the data controller is in a “dominant market position” with respect to the goods or services in question, or where changes in terms of service are “non-essential” and not accepting the change would mean that the data subject would have to give up using an online service in which he or she had “invested significant time.”

On the other hand, some revisions proposed by the Parliament provide useful clarification and even in some cases cut back the burden that the Commission’s draft would impose on businesses.  For example, the Commission’s draft proposes that part of the “right to be forgotten” includes an obligation on a company to try to pull back personal data from third parties when a user exercises his or her right to be forgotten.  The Parliament’s draft limits the “pull back” obligation to situations where the transfer of the data to the third parties was “without legal justification” (which means that it never should have happened in the first place).  Companies will certainly welcome that change if the right to be forgotten survives in the final version of the Regulation.

We will be analyzing the complete 215 page report in further detail in subsequent blog posts.   Stay tuned.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.