What's the issue?

A new General Data Protection Regulation (GDPR) was proposed by the European Commission in early 2012 with the aim of updating and harmonising EU data protection law.  The European Parliament approved its general approach to the reforms in the first half of 2014, since when, the draft legislation has been the subject of heavy negotiation in the Council.

What's the development?

The Ministers in the Justice Council have announced their agreed general approach on the Commission proposals for a GDPR.  This is a major step towards finalising the legislation. Among the proposals agreed by the Council are:

  • one Europe, one law – a single harmonised data protection law for the whole of Europe;
  • the 'one stop shop' approach – companies will deal with one law, not 28, and notification requirements will be removed. Individuals will only have to deal with their home national data protection authority (DPA) in their own language, even if their data is processed outside their home country;
  • enhanced data subject rights – the right to be forgotten (provided it does not encroach on the freedom of expression and information) and the right to data portability are supported by the Council;
  • jurisdiction – the Council agrees that non-EU companies will be required to comply with European data protection law when offering services in the EU;
  • enhanced powers for data protection authorities – DPAs will be given enhanced enforcement powers including the ability to levy fines of up to 1m Euros or up to 2% of annual global company turnover;
  • data breaches – serious data breaches will have to be reported to the relevant DPA as soon as possible and within 24 hours if feasible;
  • data protection by design and default – the Council intends for these to become essential principles in EU data protection rules; and
  • consistency mechanism – proposals to ensure that the rules are applied the same way in each Member State by streamlining cooperation between DPAs on issues with implications for the whole of Europe.

What does this mean for you?

The GDPR will now move to the final stages of negotiation. Trialogues between the Commission, the Parliament and the Council will begin on 24 June 2015 to resolve differences between the three proposals and agree the definitive legislation.  The intention is to complete the process by the end of the year although it remains to be seen whether this is an achievable goal. The GDPR is definitely looking a lot closer now.