The Council of the European Union has agreed on a general approach to the proposed EU General Data Protection Regulation (the “Regulation”). This marks a significant step forward in the legislative process, and the Council’s text will form the basis of its “trilogue” negotiations with the European Parliament and the European Commission. The aim of the trilogue process is to achieve agreement on a final text of the Regulation by the end of 2015. The first trilogue meeting is expected to take place on June 24, 2015.
Among the most significant features of the Council’s draft text are the revisions to the “establishment” and the “one-stop shop” concepts. These concepts will govern the application of the Regulation to data controllers that operate in more than one EU Member State. In particular, they will determine which data protection authority will regulate each controller’s data processing activities. They are, therefore, of critical importance to many international businesses.
Other key proposals in the Council’s text include: increased rights for data subjects; maximum penalties for non-compliance of €1 million or 2% of global annual turnover (a significant reduction from the €100 million / 5% figures proposed by the Parliament); and clarifications on the rules relating to cross-border data transfers.