EU negotiators wrapped up talks on a major data protection reform last night (15 December) that will tighten privacy laws and determine how companies handle consumers’ personal data.
The data protection regulation was hit with thousands of amendments and branded one of the top lobbied draft bills during its four-year stint in the legislative pipeline.
Following the October European Court of Justice decision that knocked down the Safe Harbour data transfer agreement between the EU and US, Europe’s tough privacy rules have been under the spotlight.
Technology companies and privacy lawyers are saying the new regulation will make Europe’s data protection rules a lot stricter. Current EU privacy legislation stems from the 1995 data protection directive.
“There are new concepts and new rules, enforcement will certainly be a major issue and there will be more sanctions at a higher level. It’s overall more severe,” said Tanguy Van Overstraeten, a partner specialised in data protection at the Brussels office of law firm Linklaters.
Under the new regulation, users can request companies to apply the right to be forgotten and delete personal data if its no longer relevant.
Compared to the 1995 directive, more kinds of personal information, including genetic data about health, are grouped as ‘sensitive’ and demand stricter privacy handling.
Companies can be hit with fines of up to four percent of their global turnover if they don’t comply with the rules. Negotiators previously clashed over the threshold for sanctions—the Parliament wanted a maximum threshold of five percent of global turnover, while the Commission and member states pushed for a two percent ceiling.
Talks over the regulation drew criticism in their final stretch for a provision that allows member states to require parental consent for minors aged 16 or younger before they agree to give up their personal data.
Privacy lawyers bemoaned that as one difference between how member states can implement the regulation.
“You have certain provisions that will not be tackled in the document itself but will be at the discretion of the national authorities. That will create a lot of discrepancy, which ultimately will not be beneficial to anybody,” Van Overstraeten said.
The final draft of the regulation to come out of negotiations still needs to be approved by the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) on Thursday (17 December) and by plenary vote in early 2016.
EU member states have two years to implement the regulation once its approved.
Parliament rapporteur on the regulation, German MEP Jan Philipp Albrecht (Greens) said following the final negotiation session yesterday evening, “The new rules will give businesses legal certainty by creating one common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market.”
The regulation will also reform how national data protection authorities deal with consumer complaints. A so-called ‘one-stop-shop’ measure will allow EU residents to file complaints in their home countries and avoid the bureaucratic hurdle of dealing with authorities in other member states.
An independent oversight group, the European Data Protection Board, will be set up to coordinate national authorities that jointly address complaints from consumers in a country outside where a company is based.
The board is more broadly tasked with making sure the regulation is applied around the EU.
“I think DPAs [data protection authorities] are ready to work better together,” said European Data Protection Supervisor Giovanni Buttarelli, whose office will manage the board.
“We will be analysing the next steps to allow the European data protection board to be ready on day one,” he added.
National authorities are meeting tomorrow (16 December) in Brussels to discuss the new data protection board and the upcoming data transfer agreement with the US that will replace Safe Harbour.
The group of 28 regulators is adjusting to its more proactive role of authorising data transfers since the ECJ decision in October.
Buttarelli said the data protection regulation will “offer the parameters for the short and long term activities of the Commission” by laying the legal ground work for future privacy legislation, including the new agreement with the US expected in early 2016.
Data protection directive
Negotiators also approved yesterday a final draft of the new data protection directive on law enforcement authorities’ handling and sharing of personal data.
>>Read: EU data privacy reforms speed up
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.
- 17 December: Parliament's Civil Liberties, Justice & Home Affairs Committee (LIBE) vote on draft agreement of the data protection regulation
- Early 2016: Parliament votes on the draft regulation in plenary session