With the world becoming more and more digitalised, the increasing volume of personal data being processed has led to a significantly greater need for personal data protection. When the previous law on personal data protection was passed we lived in very different times – there was no Facebook, Google, smartphones, internet and other things we cannot imagine our life without today. To adjust to the challenges of today's digital era, we need a new legislative basis that better serves the needs of people and those of the industry – new legislative instruments that would help resolve disputes between data owners and data users, and ensure that data are processed lawfully, fairly and in a transparent manner.
The Latvian Presidency emphasises the vital importance of finding the right balance between human rights on one hand, and needs driven by technological progress on the other. Finding this balance is one of the main reasons why the Council discussions on the terms of the Regulation have lasted more than three years. In working on its position on the Regulation, the Council is trying to develop the Commission's original legislative proposal for a Regulation to ensure there is a fair balance between the rights of data subjects and the principle of the free flow of data, whilst guaranteeing that the new law is comprehensible and easy to enforce in practice. The ultimate goal is to produce a regulation which would resolve the problems currently faced by both individuals and industry.
Conscious of how important this regulation is for EU citizens, the Latvian Presidency is making every effort to conclude the discussions and reach an agreement on the Council position by the end of June.
During the Justice and Home Affairs (JHA) Council meeting in March a partial general approach was already agreed on Chapter II (principles relating to personal data processing) and Chapters VI and VII (one-stop-shop mechanism, competence of data protection authorities) of the Data Protection Regulation. It should be noted that the one-stop shop mechanism is a new tool that creates a single cooperation mechanism for data protection authorities. Three principles were incorporated in this process – legal certainty, proximity to the data subject and the jurisdiction of data protection authorities. This means that each individual will have the possibility to submit a claim to the data protection authority in his/her country and receive a decision from that authority, even if the data controller is from another country. The one-stop-shop mechanism also includes provisions aimed at strengthening data protection authorities, not only with regard to sanctions, but also concerning preventive activities, such as consulting data controllers on the importance of ensuring data protection safeguards and maintaining the trust of data subjects.
Substantial work still needs to be done on Chapter I (definitions), Chapter III (general principles and rights, and the procedural section) and Chapter VIII (sanctions). The Latvian Presidency plans to hold working party meetings in May and Counsellor meetings in June to discuss these chapters as well as horizontal issues concerning the whole Regulation. The Latvian Presidency is steering the process and keeping an eye on the negotiations to ensure that the level of protection for the data subject in the Council compromise text is no lower than in the Commission's original proposal. Chapter III of the Regulation currently includes additional provisions on the rights of data subjects, e.g. information and access to data, the right to object and the rights to rectification and erasure, portability, and the right to receive information from the controller.
Other issues still to be discussed concern sanctions and judicial remedies. To protect data subject rights, the level of sanctions has to be adequate and set such that it prevents infringements by controllers. The aim of the Regulation is protect data subject rights, so the draft Regulation makes it possible for data protection authorities – when deciding whether to impose an administrative fine and on the amount of that fine – to take into account the nature, gravity and duration of the infringement in each individual case, as well as the number of data subjects affected and the level of damage suffered by them, etc. The Regulation also makes provision for the data subject to receive compensation from the controller for any damages suffered as a result of data processing that is not in compliance with the Regulation.
The Latvian Presidency hopes that together we can create modern technologically-neutral safeguards for personal data protection, ensuring strong protection for individuals without imposing an undue and excessive burden on data controllers!