On 15 June 2015, EU Justice and Home Affairs ministers have reached a general approach on the General Data Protection Regulation at their Council meeting (the document can be consulted here).

This means that, more than three years after the Commission’s initial proposal and more than one year after the European Parliament adopted its position, a compromise has been found within the Council on the basis of which the Council can now begin negotiations with the European Parliament and the Commission with a view to reaching a final text.

A first so-called trilogue with the Parliament and the European Commission is planned for next week on 24 June 2015. The ambition is to reach a final agreement by the end of 2015. Once formally approved and officially published, the Regulation will apply after a two-year transitional period.

However, a first analysis of the text adopted today shows that there are still some important issues to be discussed at the negotiating table:

  • Sanctions – Whereas the European Parliament called for administrative fines of up to EUR 100 million or up to 5 percent of an undertaking’s annual worldwide turnover (whichever is the greater), the Council has lowered the maximum administrative fines back to the level of the Commission’s proposal, i.e. EUR 1 million or 2 percent of an undertaking’s global annual turnover (whichever is the greater).
  • One-stop shop – During the past year’s negotiations the “one-stop-shop” mechanism has been weakened to a certain extent. The aim of this mechanism is to ensure that companies will only have to deal with one supervisory authority, instead of being confronted with potentially up to 28 national supervisory authorities. However, according to the Council’s compromise, each national supervisory authority will have the right to deal with a complaint if “the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.”
  • Data breach notifications – The provisions regarding the data breach notification to the national supervisory authorities and to the data subjects have been substantially amended by the Council, making them more business-friendly, notably by stipulating that they are only compulsory when the breach is “likely to result in a high risk for the rights and freedoms of the individuals […] or any other significant economic and social disadvantage“.
  • Explicit consent – Where processing is based on consent, the European Parliament requires this consent to be “explicit” whereas for the Council “unambiguous” consent suffices.
  • Data protection officer – Contrary to the Commission’s and the European Parliament’s versions of the draft Regulation, the text adopted today no longer requires companies to designate a data protection officer, leaving it to the Member States to decide whether or not to lay down this obligation.

It results from the above that interesting discussions are likely to follow in the coming weeks and months and we will keep a close eye on these and how they develop.