EU data protection reform: Council confirms agreement with the European Parliament

18 December 2015

The Permanent Representatives Committee (Coreper) confirmed the compromise texts agreed with the European Parliament on data protection reform.

The principles and rules on the processing of personal data of individuals must respect fundamental rights and freedoms, notably the right to protection of personal data. These strengthened data protection rights give data subjects (the individuals whose personal data is being processed) more control over their personal data: 

To ensure proximity of legal redress, data subjects have the right for a decision of their data protection authority to be reviewed by their national court, irrespective of the member state in which the data controller is established. 

Increased business opportunities in the digital single market

The regulation provides for a single set of rules, valid across the EU and applicable both to European and non European companies offering on-line services in the EU. This avoids a situation where conflicting national data protection rules might disrupt the cross-border exchange of data. It also provides for increased cooperation between member states to ensure coherent application of the data protection rules across the EU. This will create fair competition and will encourage companies, especially small and medium-sized enterprises, to get the most out of the digital single market. 

To reduce costs and provide legal certainty, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This one-stop-shop mechanismallows a company which is active in several member states to deal only with the data protection authority in the member state of its main establishment. This mechanism also provides for a single decision applicable to the entire EU territory in case of disputes. 

With a view to reducing administrative costs, the regulation applies a risk-based approach: data controllers can implement measures according to the risk involved in the data processing operations they perform. Different businesses have different activities and the risks of such activities in terms of privacy can vary. The regulation  provides for no one-size-fits all solution: the stronger the risks of the activities for the personal data, the more stringent the obligations. 

More and better tools to enforce compliance with the data protection rules

The regulation provides a range of measures to increase the responsibility and accountability of data controllers in order to ensure full compliance with the new data protection rules. Data controllers must implement a number of security measures, including the requirement in certain cases to notify personal data breaches. To future-proof the regulation, the principles of data protection by design and by default are introduced. Public authorities and those companies that perform certain risky data processing must designate a data protection officer to ensure compliance with the rules. 

Data subjects, and in certain conditions, data protection organisations can lodge a complaint with a supervisory authority or seek judicial remedy in case the data protection rules are not complied with. Data controllers can face maximum fines of up to €20 million or 4% of their global annual turnover. 

Guarantees on the transfer of personal data outside the EU

The regulation lays down the rules for transferring personal data to third countries and international organisations. Transfers may take place provided that a number of conditions and safeguards are met, in particular where the Commission has decided that an adequate level of protection exists. New adequacy decisions will have to be reviewed at least every 4 years. Existing adequacy decisions and authorisations remain in force until amended, replaced or repealed.   

Data protection directive in the field of law enforcement

This directive is aimed at protecting personal data processed for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 

It is crucial to ensure a consistent and high level of protection of personal data of individuals while at the same time facilitating the exchange of personal data between law enforcement authorities in the different member states. 

Broader scope of application

In addition to covering activities aimed at preventing, investigating, detecting and prosecuting criminal offences the new directive has been extended to cover the safeguarding and prevention of threats to public security. 

The new directive would apply to both the cross-border processing of personal data as well as the processing of personal data by the police and judicial authorities at purely national level. The framework decision, which will be replaced, covered only cross-border exchange of data. 

Data subject's rights

The rules strike a balance between the right to privacy and the need for the police not to reveal that data is being processed at an early stage of an investigation. However, the text lists the information that the data subject is always entitled to receive in order to protect his or her right if they fear that an infringement of their data has taken place. 

The new rules will also cover the transfer of personal data to third countries and international organisations. 

Compliance

The new directive foresees that a data protection officer is appointed to help the competent authorities to ensure compliance with the data protection rules. 

Another tool to ensure compliance is impact assessment. Where a type of processing is likely to result in a high risk for the rights and freedoms of individuals the competent authorities must carry out an assessment of the potential impact of a certain processing, in particular when using new technology.   

Monitoring and compensation

The text of the directive is aligned with the text of the regulation in order to ensure that in broad terms the same general principles apply. In addition, the rules on the supervisory authority are to a large extent similar because the supervisory authority established in the general data protection regulation can also deal with matters falling under the directive. The new directive would also grant data subjects the right to receive compensation if they have suffered damage as a consequence of a processing that has not respected the rules.

Full press release

Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

European Commission press release


© European Council