EU data protection reform package agreed

The General Data Protection Regulation is intended to replace the current Data Protection Directive (95/46/EC). It is almost four years since the initial proposed draft of this regulation was adopted by the European Commission in January 2012. More recently, a general approach was agreed in June 2015, which formed the basis for the Council's position in the trilogue negotiations with the European Commission and the European Parliament (see Legal update, Council agrees general approach on proposed Data Protection Regulation). For detailed analysis of the regulation's progress, please see Practice note, EU data protection regime proposals: analysis and noter-up and for tracking legislation in the reform package, see Legislation tracker: Personal Data Protection Reform Package. This legal update focuses on the proposed General Protection Regulation.

On 15 December 2015, the European Parliament and the Council reached agreement on the EU data protection reform package, concluding trilogue negotiations between the Commission, Parliament and Council. This paves the way for the package to be formally adopted in early 2016. The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the Parliament has since voted by overwhelming majority to endorse what was agreed politically in the trilogues on both the proposed General Data Protection Regulation and Data Protection Directive for police and judicial cooperation on criminal matters. In early 2016, the Parliament (in plenary, likely in March or April 2016) and the Council are expected to formally adopt the texts, making the new legislation applicable two years later.

The new data protection regulation is designed to give people better control of their personal data and modernise and unify rules to allow businesses to take advantage of the Digital Single Market and cut red tape. EU Commissioner for Justice, Consumer and Gender Equality, Vera Jourová described the agreed reforms as "good for citizens and good for businesses" and "fit for the digital age". Jan Philipp Albrecht, the MEP rapporteur for the regulation has stated that the regulation returns control to citizens, where consumers will have to give their explicit consent to the use of their data. He also stated that businesses could face a potential sanction of up to 4% of global turnover for breaches of EU data protection law and would have to appoint a data protection officer where large scale collection of consumer or sensitive data arises, under the agreed regulation.

The Commission has indicated that for individuals, the agreed rules give easier access to their own data and a right to data portability, making it easier to transfer personal data between service providers (such as social networks). A clarified right to be forgotten and a right to know when data has been hacked is also provided for. For businesses, a single set of rules across the EU is intended to make compliance simpler and cheaper. Notification of processing activities to a supervisory authority is to be scrapped. A one-stop shop principle means that businesses only have to liaise with one national supervisory authority where necessary, rather than multiple. A risk-based approach means that obligations on businesses will be tailored to their size and to the privacy risks associated with their activities. For example, smaller businesses may not always need to appoint data protection officers or carry out privacy impact assessments and may be able to charge a fee for providing data access. Companies based outside Europe must also comply with EU data protection rules when offering services in the EU.

An impasse arose in the trilogue negotiations around the age limit for parental consent for children to use of social media, which may now vary between 13 and under 16 years old, depending on the member state.

As regards the agreed Data Protection Directive for police and judicial cooperation on criminal matters, harmonised laws for police and criminal justice are intended to improve protection for individuals affected by crime and law enforcement such as victims and suspects, while enhancing cross-border police cooperation to better combat crime and terrorism.

The current patchwork of data protection rules and four years of reform-related debate are expected to end in early 2016 by formal adoption of the agreed EU data protection reform package. The agreement of the package in trilogue negotiations is a hugely significant step for data protection reform in Europe.

Organisations can expect the new data protection regulation to become applicable in early 2018 and can now plan for this with greater certainty. Amongst other new measures, the introduction of a potential sanction of up to 4% of global turnover for breaching data protection law is likely to have a significant effect on how seriously data protection compliance is taken by businesses in the future. However, the two year transition period allows organisations time to begin to introduce changes to their compliance regimes before the regulation, if formally adopted early next year, becomes applicable in early 2018. Individuals are likely to welcome the reinforcements to data protection rights that the agreed package provides.

Practical Law Data Protection will be publishing more detailed guidance in due course on the finalised text of the regulation (available on the Parliament website), which is expected to be formally approved in 2016.

Source: European Commission press release and European Parliament press release, 15 December 2015 and European Parliament press release, 17 December 2015.