EU negotiators wrapped up talks on a major data protection reform last night (15 December) that will tighten privacy laws and determine how companies handle consumers’ personal data.
The data protection regulation was hit with thousands of amendments and branded one of the top lobbied draft bills during its four-year stint in the legislative pipeline.
Following the October European Court of Justice decision that knocked down the Safe Harbour data transfer agreement between the EU and US, Europe’s tough privacy rules have been under the spotlight.
Technology companies and privacy lawyers are saying the new regulation will make Europe’s data protection rules a lot stricter. Current EU privacy legislation stems from the 1995 data protection directive.
“There are new concepts and new rules, enforcement will certainly be a major issue and there will be more sanctions at a higher level. It’s overall more severe,” said Tanguy Van Overstraeten, a partner specialised in data protection at the Brussels office of law firm Linklaters.
Under the new regulation, users can request companies to apply the right to be forgotten and delete personal data if its no longer relevant.
Compared to the 1995 directive, more kinds of personal information, including genetic data about health, are grouped as ‘sensitive’ and demand stricter privacy handling.
Companies can be hit with fines of up to four percent of their global turnover if they don’t comply with the rules. Negotiators previously clashed over the threshold for sanctions—the Parliament wanted a maximum threshold of five percent of global turnover, while the Commission and member states pushed for a two percent ceiling.
Talks over the regulation drew criticism in their final stretch for a provision that allows member states to require parental consent for minors aged 16 or younger before they agree to give up their personal data.
Privacy lawyers bemoaned that as one difference between how member states can implement the regulation.
“You have certain provisions that will not be tackled in the document itself but will be at the discretion of the national authorities. That will create a lot of discrepancy, which ultimately will not be beneficial to anybody,” Van Overstraeten said.
The final draft of the regulation to come out of negotiations still needs to be approved by the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) on Thursday (17 December) and by plenary vote in early 2016.
EU member states have two years to implement the regulation once its approved.
Parliament rapporteur on the regulation, German MEP Jan Philipp Albrecht (Greens) said following the final negotiation session yesterday evening, “The new rules will give businesses legal certainty by creating one common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market.”
The regulation will also reform how national data protection authorities deal with consumer complaints. A so-called ‘one-stop-shop’ measure will allow EU residents to file complaints in their home countries and avoid the bureaucratic hurdle of dealing with authorities in other member states.
An independent oversight group, the European Data Protection Board, will be set up to coordinate national authorities that jointly address complaints from consumers in a country outside where a company is based.
The board is more broadly tasked with making sure the regulation is applied around the EU.
“I think DPAs [data protection authorities] are ready to work better together,” said European Data Protection Supervisor Giovanni Buttarelli, whose office will manage the board.
“We will be analysing the next steps to allow the European data protection board to be ready on day one,” he added.
National authorities are meeting tomorrow (16 December) in Brussels to discuss the new data protection board and the upcoming data transfer agreement with the US that will replace Safe Harbour.
The group of 28 regulators is adjusting to its more proactive role of authorising data transfers since the ECJ decision in October.
Buttarelli said the data protection regulation will “offer the parameters for the short and long term activities of the Commission” by laying the legal ground work for future privacy legislation, including the new agreement with the US expected in early 2016.
Data protection directive
Negotiators also approved yesterday a final draft of the new data protection directive on law enforcement authorities’ handling and sharing of personal data.
>>Read: EU data privacy reforms speed up