Data protection laws will apply to all companies doing business in the European Union, national Justice Ministers agreed today (6 June), as they adapted legislation to take a recent EU ruling against Google into account.

The European Court of Justice decided in May that California-based Google was responsible for processing personal data appearing on web pages published by third parties, such as newspapers (here). Google had appealed an order from the Spanish data authority to remove information about a man whose home was auctioned off to pay for unpaid taxes.

The Luxembourg court rejected Google’s argument that the processing of personal data by Google Search was unrelated to the context of Google Spain’s activities. It said Google Spain should be defined as an “establishment” of Google Search and so must apply EU privacy law.

By agreeing on two main points, a so-called “partial general approach”, rules that govern data transfers to third countries and the scope of the proposed regulation, the ministers brought the proposed Data Protection Regulation in line with the Google ruling. Both Council and European Parliament must agree an identical text before it can become law.

But ministers failed to agree on common underlying principles relating to net neutrality, the principle of open internet. They had different views on how to balance net neutrality and reasonable traffic management. Net neutrality is the principle that governments and internet service provider should not discriminate between data on the internet on the basis or user, content or site (more here).

Luxembourg Justice Minister Félix Braz said, “The recent ruling by the court of justice has been discussed[…]we’ve got the case of Google Spain and it shows it is the court busy implementing the law in this digital era, it really is up to us as legislators to update our regulatory framework[...]Let’s not let the court do our work for us.”

Commissioner Viviane Reding said at the meeting in Luxembourg, “On the data protection reform, we clearly moved from dormant to dynamic negotiations. It's in the interest of companies to have legal certainty rather than having to spend money on costly law suits only to arrive at the same result at the end." 

Trade association DIGITALEUROPE welcomed the partial agreement reached by Justice and Home Affairs ministers during their discussion about the General Data Protection Regulation on Friday.

The text on international data transfers they signed up to will ease data flows both within the EU and beyond, it said. Speaking on behalf of DIGITALEUROPE, Rene Summer, and Director for Government and Industry Relations at Ericsson said, “The improvements to chapter 5 come at zero cost to citizens’ privacy. This shows that there doesn’t have to be a trade off between improving the legal framework for companies and protecting citizens’ data.”

Agreement was not reached by member states on one-stop-shop, one of the core elements of the proposed legislation. DIGITALEUROPE supports the concept of the one-stop-shop, where one data protection authority acts as lead authority for the whole EU.

“It is vital that ministers agree on a workable one-stop-shop approach. It will help ensure a consistent application of data protection law across the EU, giving companies the legal certainty they need to do business,” Summer said.

Cybersecurity and telecoms package

The Council took note of progress made on a proposal aimed at ensuring a high level of network and information security across the EU. and said the approach set out in the presidency report in relation to the proposal could be a good basis for further work.

“There is an urgent need to improve cybersecurity protections in Europe, and we welcome the ongoing discussions among policymakers on how best to improve the safeguards for European citizens and businesses,” said Thomas Boué, Director, Policy – EMEA for BSA, The Software Alliance.

"An effective network and information security framework in Europe will be one that provides legal certainty and allows flexibility for the private sector to respond to fast-changing cyber threats,” he added.

The Council also took note of the state of play regarding a proposal intended to amend the EU's telecommunications regulatory framework. The package is seen as vital for the Digital Agenda but questions have been asked whether the initiative will meet its 2015 deadline. The Greek Presidency of the EU has 24 days to run before Italy takes over. One option would be to split the package to secure agreement from national governments sooner.

Digital Commissioner Neelie Kroes said in a press conference after the meeting, "We have arguments enough that we can make it before the end of year, otherwise we are losing years…I am confident we can make it.”