In March 2014, the European Parliament took the next step on the road to reforming the EU data protection regime by voting by an overwhelming majority to approve the amended draft text of the new EU data protection regulation (the draft regulation).

Companies in the EU, as well as companies outside the EU targeting individuals in the EU, may face large fines of up to 5% of global turnover for breaching the draft regulation. There is also an increased likelihood of these companies having to pay damages to individuals, as the proposals allow individuals to seek compensation for loss, including for distress and anxiety, arising from the misuse of their personal data.

The European Commission (the Commission) published the original draft text of the regulation in January 2012 (see News brief "EU data protection reforms: less red tape but more housekeeping?"). The draft regulation then went through a process of substantial amendment by the European Parliament's Committee for Civil Liberties, Justice and Home Affairs (LIBE), before going to the full European Parliament.

The draft regulation will be decided by the ordinary process (formerly called the co-decision process). This requires the agreement of both the Council of the EU (the Council) and the European Parliament, with each voting on the other's proposal. Negotiations with the Council to agree the final text of the draft regulation are due to begin in summer 2014 and there is now pressure on the Council to set out its position.

Companies that are not currently subject to the EU data protection regime (such as data processors, and, in certain circumstances, organisations outside the EU) could find themselves subject to the requirements of the draft regulation, including being subject to potential fines by data protection authorities and claims for compensation by individuals where there is a breach of the draft regulation.

Currently, the Data Protection Act 1998 (DPA) applies to data controllers established in the UK as well as data controllers that are not established in the EEA, but which use equipment located in the UK to process personal data (other than merely for the purpose of transit).

The Commission's original proposed text would extend the territorial scope of EU data protection laws to apply to:

The European Parliament's proposal is that the draft regulation would apply to data controllers and data processors established in the EU, regardless of whether the processing takes place in the EU. In addition, the extra-territorial scope of the draft regulation would apply to both data controllers and data processors outside the EU where the processing relates to data subjects in the EU (rather than "residing" in the EU). The proposal also clarifies that the draft regulation would apply to data controllers and data processors outside the EU where the processing relates to offering goods or services regardless of whether a payment is required from the data subject.

The European Parliament also proposes that the extra-territorial scope of the draft regulation will apply where there is monitoring of data subjects in the EU (rather than monitoring data subjects' behaviour).

The Commission and the European Parliament have divergent views on the level of fines that companies should pay for breaching the draft regulation. Although they generally both agree that the fines should be substantially increased.

Currently, under the DPA, the UK data protection authority, the Information Commissioner's Office (ICO), can impose fines of up to £500,000. The ICO can impose these fines on data controllers where there is a serious breach of the data protection principles set out in the DPA and the breach is likely to cause substantial damage or substantial distress and the breach is either: deliberate; or the data controller knew or ought to have known that there was a risk that the contravention would occur and that such a breach would be of a kind likely to cause substantial damage or distress but the data controller failed to take reasonable steps to prevent the breach.

The draft regulation proposes that fines can be imposed on data processors, as well as data controllers, for breaches of the draft regulation. This is important from the perspective of data processors, as they are not currently subject to fines by the ICO for breaches of the DPA.

The current proposals would significantly increase the maximum fines that may be imposed on companies. The Commission's original draft text proposed fines of 2% of global turnover, or €1 million if greater, for serious breaches of the draft regulation, such as failing to process personal data according to the draft regulation.

The European Parliament's adopted draft of the regulation seeks to increase the maximum fines to 5% of global turnover, or €100 million if greater. However, organisations possessing a European data protection seal would only be subject to such a fine for intentional or negligent breaches. This seal would be awarded to companies that demonstrate to the relevant regulator that they comply with the draft regulation, and pay a small fee.

Even if the Council proposes substantially lower fines than those proposed by the Commission and the European Parliament, any such fines are still likely to be higher than the current level that the ICO is able to impose under the DPA.

The Commission's original draft text proposed that organisations should pay a fine of 0.5% of global turnover, or €250,000 if greater, for relatively minor breaches of the draft regulation, including breaches relating to individuals' access rights. The LIBE reacted to the criticism by replacing the fine with more subjective, risk-based sanctions (that is, issuing warnings and auditing companies' compliance).

The Commission's and the European Parliament's proposals relating to individuals' rights to compensation have been less fractious. Both bodies appear to agree that data controllers and data processors should be liable to individuals that suffer losses as a result of their breach of the draft regulation. This is an important change, from the perspective of data processors as, currently, an individual who suffers damage or distress (in certain circumstances) can bring a claim only against a data controller (section 13, DPA).

Therefore, under the draft regulation, data processors will also potentially be exposed to damages claims from individuals for breaches of the draft regulation. The European Parliament has proposed that the damages applicable to these claims will not be limited to pecuniary loss. The relative agreement between the Commission and the European Parliament on this issue suggests that it is already a done deal. The Council's position on this issue will be awaited with interest.

The Council is due to meet in June 2014 regarding the draft regulation, and that meeting should hopefully provide clarity on the next steps.

To date, indecision between EU member states has delayed the progress of the regulation. However, there is pressure on the Council to agree a position as negotiations to pass the draft regulation are due to begin in summer 2014. The draft regulation currently has a two-year lead-in time. This means that even if the draft regulation is agreed in 2014, it will not come into force until 2017.