On 15 June 2015 the EU Council of Ministers (Council) reached a General Approach to the long-awaited draft Data Protection Regulation (DPR), bringing Europe one step closer to a single, harmonised set of data protection rules across its 28 member states.
The existing European data protection regime, encompassing a web of national laws and based primarily on a directive (which has indirect effect in each of the EU Member States, meaning national legislation was required to implement the provisions of the directive, something which has led to a variety of legislation across the EU), dates back to 1995 (Directive 95/46/EC). The original draft of the DPR that will replace the existing regime and update the European privacy regime, was published by the European Commission in January 2012, with the European Parliament adopting its first reading positions on the proposals for the DPR in March 2014. When it comes into effect, the DPR will apply directly in each Member State (that is, without the need for any local enabling legislation, and in the same way in each Member state), as well as in those European Economic Area States which adopt the DPR directly.
Some of the key proposals endorsed by the Council on the DPR include:
- The “explicit” consent of the individual to which the personal data relates (the “data subject”) for the processing of personal data is still required in some circumstances under the Council’s draft of the DPR. The language used in the current Directive is retained (namely, the “freely given, specific and informed” consent of the data subject must be obtained before his/her personal data may be used);
- The principle of the “right to be forgotten” is retained, but not as an absolute right – there are exceptions proposed for compliance with legal obligations. This means that data subjects will not unequivocally be entitled to demand that their personal data be erased in circumstances where that data is required for legal reasons;
- The right to data portability, making it easier for data subjects to transfer personal data between service providers;
- The requirement for companies to report all data breaches to national regulators and individuals whose personal data is affected by the breach – the current regime has led to a multitude of different requirements and obligations in relation to data breaches across the European Economic Area, and it is hoped that the DPR will provide a harmonising effect in this regard;
- The legislation’s application to non-EU companies offering services to EU consumers as well as to EU companies operating within the EU; and
- Penalties of up to €1 million or up to 2 percent of the global annual worldwide turnover of a company.
Now that the Council has reached agreement on their version of the DPR, negotiations can commence between the European Commission, the European Parliament and the Council (this is known as the “Trilogue process”). The first Trilogue meeting will take place on June 24.
Final adoption of the DPR is expected by the end of 2015 or early 2016, which will then come into force in European member states automatically two years after the final agreed DPR text is published in the Official Journal of the European Union.