The EU’s overhaul of data protection laws took a significant step forward this week with the EU Council approving a draft text of the new Regulation. Whilst drafts of the Regulation were proposed by the EU Commission and EU Parliament in 2012 and 2013 respectively, the Council’s deliberations have been subject to significant delay as the new laws were debated between the governments of the 28 Member States.

Here are the headlines of the EU Council’s draft of the Regulation:

  • Fines – still significant at 2% of worldwide turnover or €1,000,000, but more focussed on data security breaches and unauthorised monitoring;
  • Territorial scope – all three drafts of the Regulation largely agree that it will catch organisations processing personal data outside the EU;
  • The one-stop shop approach to regulation – this has been watered down making it more likely that organisations will still have to deal with a number of national regulators rather than their “home” regulator;
  • Mandatory breach reporting – this is retained but applies only to more serious incidents;
  • Direct obligations on data processors as well as data controllers – all three drafts of the Regulation largely agree that it will impose direct obligations on data processors;
  • “Explicit” consent to data processing – the Council text seeks to maintain the position under the current law (i.e. explicit consent only applies to sensitive personal data), whereas the EU Commission and Parliament propose to tighten the rules;
  • DPOs – the Council draft leaves it open to member states to decide whether data controllers have to appoint data protection officers, whereas the Commission and Parliament texts required them for larger organisations.

The Commission, the Parliament and the Council will now enter into a final negotiation phase in order to try to reconcile the draft proposals. The current aim is for the Regulation to be finalised by the end of 2015, with it coming into force at the end of 2017.