Ministers move to ensure 'right to be forgotten' applies to non-EU companies
Data protection laws will apply to all companies doing business in the European Union, national Justice Ministers agreed today (6 June), as they adapted legislation to take a recent EU ruling against Google into account.
The European Court of Justice decided in May that California-based Google was responsible for processing personal data appearing on web pages published by third parties, such as newspapers (here). Google had appealed an order from the Spanish data authority to remove information about a man whose home was auctioned off to pay for unpaid taxes.
The Luxembourg court rejected Google’s argument that the processing of personal data by Google Search was unrelated to the context of Google Spain’s activities. It said Google Spain should be defined as an “establishment” of Google Search and so must apply EU privacy law.
By agreeing on two main points, a so-called “partial general approach”, rules that govern data transfers to third countries and the scope of the proposed regulation, the ministers brought the proposed Data Protection Regulation in line with the Google ruling. Both Council and European Parliament must agree an identical text before it can become law.
But ministers failed to agree on common underlying principles relating to net neutrality, the principle of open internet. They had different views on how to balance net neutrality and reasonable traffic management. Net neutrality is the principle that governments and internet service provider should not discriminate between data on the internet on the basis or user, content or site (more here).
Luxembourg Justice Minister Félix Braz said, “The recent ruling by the court of justice has been discussed[…]we’ve got the case of Google Spain and it shows it is the court busy implementing the law in this digital era, it really is up to us as legislators to update our regulatory framework[...]Let’s not let the court do our work for us.”
Commissioner Viviane Reding said at the meeting in Luxembourg, “On the data protection reform, we clearly moved from dormant to dynamic negotiations. It's in the interest of companies to have legal certainty rather than having to spend money on costly law suits only to arrive at the same result at the end."
Trade association DIGITALEUROPE welcomed the partial agreement reached by Justice and Home Affairs ministers during their discussion about the General Data Protection Regulation on Friday.
The text on international data transfers they signed up to will ease data flows both within the EU and beyond, it said. Speaking on behalf of DIGITALEUROPE, Rene Summer, and Director for Government and Industry Relations at Ericsson said, “The improvements to chapter 5 come at zero cost to citizens’ privacy. This shows that there doesn’t have to be a trade off between improving the legal framework for companies and protecting citizens’ data.”
Agreement was not reached by member states on one-stop-shop, one of the core elements of the proposed legislation. DIGITALEUROPE supports the concept of the one-stop-shop, where one data protection authority acts as lead authority for the whole EU.
“It is vital that ministers agree on a workable one-stop-shop approach. It will help ensure a consistent application of data protection law across the EU, giving companies the legal certainty they need to do business,” Summer said.
Cybersecurity and telecoms package
The Council took note of progress made on a proposal aimed at ensuring a high level of network and information security across the EU. and said the approach set out in the presidency report in relation to the proposal could be a good basis for further work.
“There is an urgent need to improve cybersecurity protections in Europe, and we welcome the ongoing discussions among policymakers on how best to improve the safeguards for European citizens and businesses,” said Thomas Boué, Director, Policy – EMEA for BSA, The Software Alliance.
"An effective network and information security framework in Europe will be one that provides legal certainty and allows flexibility for the private sector to respond to fast-changing cyber threats,” he added.
The Council also took note of the state of play regarding a proposal intended to amend the EU's telecommunications regulatory framework. The package is seen as vital for the Digital Agenda but questions have been asked whether the initiative will meet its 2015 deadline. The Greek Presidency of the EU has 24 days to run before Italy takes over. One option would be to split the package to secure agreement from national governments sooner.
Digital Commissioner Neelie Kroes said in a press conference after the meeting, "We have arguments enough that we can make it before the end of year, otherwise we are losing years…I am confident we can make it.”
The European Commission proposed last September a wide reform of the telecoms sector intended to kick-start the underperforming European telecoms sector and incentivise investment in ultra-fast broadband networks.
Brussels proposed to create a real single market for telecoms in Europe, since the sector still operates largely on the basis of 28 national markets.
Under the Commission's plan, this should be achieved by ending roaming surcharges for mobile services abroad, better coordinating radio spectrum allocation, protecting the neutrality of the Internet (although granting higher discretionary power to Internet service providers) and raising consumer protection.
The ECJ ruling followed an appeal by Google against an order to remove links to two news stories regarding a real estate auction to pay unpaid taxes.
The order from Spain's data authority is being examined by a tribunal, who referred the case to the European Court of Justice to clarify a number of points of EU law. The ECJ found that Google did have to apply EU privacy law and that, under certain circumstances, it should have to edit or remove its search results.
End of the year: Deadline for telecoms package