The EU member states have agreed their version of a controversial new data protection law for Europe. The member states’ justice and home affairs ministers have proposed that the new regulation should include fines of up to €1m or 2 per cent of annual worldwide turnover for privacy breaches.

The Council’s text also requires companies to report data breaches to national regulators and individuals whose data is affected; we’ve seen this in previous versions of the text, but this would be a major change to current EU law. The text also obliges companies to conduct ‘data protection impact assessments’ if they process data in a way that poses a high risk to individuals’ privacy; this duty, which was in previous drafts, would be new under EU law and would be subject to the €1m/2 per cent fine.

A leaked copy of the Council’s document is here; the Council is expected to officially adopt its text on 15 June. After that, the Council, Commission and Parliament will conduct ‘trilogue’ discussions together, to try to reach a final version of the text. These discussions are expected to last until the end of 2015. Once a final document is agreed and adopted, it will then come into force in the member states two years later.