Media release

Data protection: Council agrees on a general approach

© European Union
15 June 2015

On 15 June 2015, the Council reached a general approach on the general data protection regulation that establishes rules adapted to the digital era. The twin aims of this regulation are to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market.

Latvia's minister for justice Dzintars Rasnačs said: "Today we have moved a great step closer to modernised and harmonised data protection framework for the European Union. I am very content that after more than 3 years of negotiations we have finally found a compromise on the text. The new data protection regulation, adapted to the needs of the digital age, will strengthen individual rights of our citizens and ensure a high standard of protection."

A general approach means that the Council has a political agreement on the basis of which it can now begin negotiations with the European Parliament with a view to reaching overall agreement on new EU data protection rules. A first trilogue with the Parliament is planned for 24 June 2015.

"I salute the readiness of the European Parliament to start the trilogue negotiations already next week. Hopefully we will come to the final agreement rapidly so that our citizens can enjoy the benefits of the reform as soon as possible", said Latvia's minister for justice Dzintars Rasnačs.

The incoming Luxembourg Presidency indicated that, in parallel to the negotiations on the regulation, works on the data protection directive in the law enforcement area would be accelerated with the aim to find a general approach in October.

Luxembourg Justice minister Felix Braz said: "This reform is a package and we have the firm intention to conclude by the end of this year".

Main elements of the agreement

An enhanced level of data protection

Personal data must be collected and processed lawfully under strict conditions and for a legitimate purpose. Data controllers (those responsible for the processing of data) must respect specific rules, such as the requirement for unambiguous consent by the data subject (the individual whose personal data is being processed), in order to be allowed to process personal data.

Strengthened data protection rights give data subjects more control over their personal data:

  • easier access to their data.
  • more detailed information about what happens to their personal data once they decide to share it: data controllers must be more transparent about how personal data is handled, for example by informing individuals about their privacy policy in clear and plain language.
  • a right to erasure of personal data and "to be forgotten", enabling anyone for example to require that a service provider remove, without delay, personal data collected when that individual was a child.
  • a right to portability enabling easier transmission of personal data from one service provider, for instance a social network, to another. This will also increase competition among service providers.
  • limits to the use of 'profiling', i.e. automated processing of personal data to assess personal aspects, such as performance at work, economic situation, health, personal preferences etc.

To ensure improved legal redress, data subjects will be able to have any decision of their data protection authority reviewed by their national court, irrespective of the member state in which the data controller is established.

Increased business opportunities in the Digital Single Market

A single set of rules, valid across the EU and applicable both to European and non European companies offering their on-line services in the EU will prevent conflicting national data protection rules from disrupting cross-border exchanges of data. Moreover, increased cooperation between the supervisory authorities in the member states will ensure coherent application of those rules throughout the EU. This will create fair competition and encourage companies, especially small and medium-sized enterprises, to get the most out of the Digital Single Market.

To reduce costs and provide legal certainty, in important transnational cases where several national supervisory authorities are involved, a single supervisory decision will be taken. This one-stop-shop mechanism will allow a company with subsidiaries in several member states to limit its contacts to the data protection authority in the member state where it is established.

In order to reduce compliance costs, data controllers can, on the basis of an assessment of the risk involved in their processing of personal data, define risk levels and put in place measures in line with those levels.

More and better tools to enforce compliance with the data protection rules

Increasing responsibility and accountability of data controllers will improve compliance with the new data protection rules. Data controllers must implement appropriate security measures and provide, without undue delay, notification of personal data breaches to the supervisory authority as well as to those significantly affected by the breach. Controllers and processors may designate data protection officers in their organisation. Moreover, Union or national law can require them to do so.

Data subjects, as well as, under certain conditions, data protection organisations can lodge a complaint with a supervisory authority or seek judicial remedy in cases where data protection rules are not respected. Furthermore, when such cases are confirmed, data controllers face fines of up to €1 million or 2% of their global annual turnover.

Guarantees regarding transfers of personal data outside the EU

The protection of transfers of personal data to third countries and international organisations is ensured through adequacy decisions. The Commission, with the involvement of member states and the European Parliament, is competent to decide whether the level of data protection offered by a third country or an international organization is adequate. In cases where no such decision has been taken, the transfer of personal data may only take place if the appropriate safeguards (standard data protection clauses, binding corporate rules, contractual clauses) are in place.

Jānis Bērziņš