The EU Council of Ministers has announced that it has reached consensus on the draft Data Protection Regulation. The next step in the process is the start of negotiations, scheduled to begin 24 June. Those negotiations will be complex and involve the Council of Ministers, the European Parliament and the EU Commission.
The negotiations will seek to synthesize the approach agreed by the Council with each of the Commission’s and Parliament’s agreed drafts. According to a press release by the Commission, the Council agreed with many of the fundamental provisions contained in the Commission’s proposal for the draft Regulation.
Despite adding new rights to individuals and an increased sanction regime, the objectives behind the Regulation are to create a one-stop-shop for multinationals doing business in the EU or targeting their products and services to EU citizens, and thereby driving down the cost and complexity of compliance. The current Data Protection Directive has resulted in variations between the 28 Member States’ national laws, whereas a Regulation has direct effect in each Member State’s law without the need for national legislation.
The Council has endorsed the ‘one stop shop’ approach so that in the future, organisations will only need to deal with the national Data Protection Authority having jurisdiction over the location of their EU headquarters or EU location with delegated data protection responsibility. The Council has also agreed to endorse the right to data portability and the increased right to block search engine content, also called the ‘right to be forgotten’, but acknowledges that the right is not absolute. In addition, the Council’s approach to fines is up to a maximum of 2% of an organisation’s worldwide annual turnover, down from the proposed 5% advocated by the Commission.
Once fully agreed between the Council, Parliament and Commission, the draft data protection regulation would only become effective two years after being published in the EU Bulletin.