Monday 11 Apr 2016 @ 15:20
EU News
Printable version

Data protection reform: Council adopts position at first reading

On 8 April 2016, the Council adopted its position at first reading on data protection reform, which paves the way for the final adoption of the legislative package by the European Parliament at its plenary session in April. 

This formal adoption comes after the compromise agreed with the European Parliament in December 2015. 

Following this adoption, the Dutch minister for Justice, Ard Van der Steur said: “I have the commitment from the European Parliament that this will allow a vote on both the data protection package and the PNR Directive in April. The Brussels attacks of 22 March have once again underlined the urgency of the adoption of the PNR Directive.” 

Data protection reform is a legislative package aimed at updating and modernising existing data protection rules.  It includes two legislative instruments: the general data protection regulation (intended to replace directive 95/46/EC) and the data protection directive in the area of law enforcement (intended to replace the 2008 data protection framework decision).

Infographics - data protection regulation

The data protection regulation sets out the rights of the individuals and establishes the obligations of those processing and those responsible for the processing of the data
See full infographics

The protection of persons in relation to the processing of their personal data is a fundamental right laid down in the Charter of Fundamental Rights of the EU (Article 8) and in the Treaty on the Functioning of the European Union (Article 16).

General data protection regulation 

The general data protection regulation aims at enhancing the level of data protection for individuals whose personal data is processed and increasing business opportunities in the digital single market including through reduced administrative burden.  

An enhanced level of data protection 

The principles and rules on the processing of personal data of individuals must respect fundamental rights and freedoms, notably the right to protection of personal data. These strengthened data protection rights give data subjects (the individuals whose personal data is being processed) more control over their personal data: 

  • more specific rules allowing data controllers (those responsible for the processing of data) to process personal data, including through the requirement for the consent of the individuals concerned.
  • easier access to their personal data.
  • better information about what happens to personal data once it is shared. This includes informing individuals about their privacy policy in clear and plain language, which can also be done via standardised icons.
  • a right to erase personal data and "to be forgotten". This enables, for example, subjects to require the removal, without delay, of personal data collected or published on a social network when the individual was still a child.
  • if a youngster of below 16 years wishes to use online services, the service provider has to try to verify that parental consent has been given. Member states may lower this age ceiling without going below 13 years.
  • a right to portability, facilitating the transmission of personal data from one service provider, such as a social network, to another. This will not only increase data protection rights but also enhance competition among service providers.
  • a right to object to the processing of personal data relating to the public interest or to legitimate interests of a controller. This right covers the use of personal data for the purposes of 'profiling'.
  • common safeguards covering the processing of personal data for archiving purposes where that is in the public interest and for scientific and historical research or statistical purposes.

To ensure proximity of legal redress, data subjects have the right for a decision of their data protection authority to be reviewed by their national court, irrespective of the member state in which the data controller is established. 

Increased business opportunities in the digital single market 

The regulation provides for a single set of rules, valid across the EU and applicable both to European and non European companies offering on-line services in the EU. This avoids a situation where conflicting national data protection rules might disrupt the cross-border exchange of data. It also provides for increased cooperation between member states to ensure coherent application of the data protection rules across the EU. This will create fair competition and will encourage companies, especially small and medium-sized enterprises, to get the most out of the digital single market. 

To reduce costs and provide legal certainty, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This one-stop-shop mechanism allows a company which is active in several member states to deal only with the data protection authority in the member state of its main establishment. This mechanism also provides for a single decision applicable to the entire EU territory in case of disputes.  

With a view to reducing administrative costs, the regulation applies a risk-based approach: data controllers can implement measures according to the risk involved in the data processing operations they perform. Different businesses have different activities and the risks of such activities in terms of privacy can vary. The regulation  does not set out a no one-size-fits all solution: the stronger the risks of the activities for the personal data, the more stringent the obligations.  

More and better tools to enforce compliance with the data protection rules 

The regulation provides a range of measures to increase the responsibility and accountability of data controllers in order to ensure full compliance with the new data protection rules. Data controllers must implement a number of security measures, including the requirement in certain cases to notify personal data breaches. To future-proof the regulation, the principles of data protection by design and by default are introduced. Public authorities and those companies that perform certain risky data processing must designate a data protection officer to ensure compliance with the rules.  

Data subjects, and in certain conditions, data protection organisations can lodge a complaint with a supervisory authority or seek judicial remedy in case the data protection rules are not complied with. Data controllers can face maximum fines of up to €20 million or 4% of their global annual turnover.  

Guarantees on the transfer of personal data outside the EU 

The regulation lays down the rules for transferring personal data to third countries and international organisations. Transfers may take place provided that a number of conditions and safeguards are met, in particular where the Commission has decided that an adequate level of protection exists. New adequacy decisions will have to be reviewed at least every 4 years. Existing adequacy decisions and authorisations remain in force until amended, replaced or repealed.  

Data protection directive in the field of law enforcement 

This directive is aimed at protecting personal data processed for prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.  

It is crucial to ensure a consistent and high level of protection of personal data of individuals while at the same time facilitating the exchange of personal data between law enforcement authorities in the different member states.  

Broader scope of application 

In addition to covering activities aimed at preventing, investigating, detecting and prosecuting criminal offences the new directive has been extended to cover the safeguarding and prevention of threats to public security.  

The new directive would apply to both the cross-border processing of personal data as well as the processing of personal data by the police and judicial authorities at purely national level. The framework decision, which will be replaced, covered only cross-border exchange of data.  

Data subject's rights 

The rules strike a balance between the right to privacy and the need for the police not to reveal that data is being processed at an early stage of an investigation. However, the text lists the information that the data subject is always entitled to receive in order to protect his or her right if they fear that an infringement of their data has taken place. 

The new rules will also cover the transfer of personal data to third countries and international organisations.  

Compliance 

The new directive foresees that a data protection officer is appointed to help the competent authorities to ensure compliance with the data protection rules.  

Another tool to ensure compliance is impact assessment. Where a type of processing is likely to result in a high risk for the rights and freedoms of individuals the competent authorities must carry out an assessment of the potential impact of a certain processing, in particular when using new technology. 

Monitoring and compensation 

The text of the directive is aligned with the text of the regulation in order to ensure that in broad terms the same general principles apply. In addition, the rules on the supervisory authority are to a large extent similar because the supervisory authority established in the general data protection regulation can also deal with matters falling under the directive. The new directive would also grant data subjects the right to receive compensation if they have suffered damage as a consequence of a processing that has not respected the rules.                     

Next Steps 

The European Parliament is expected to vote in second reading at its plenary session next week, on Thursday 14 April, thus approving the Council's position at first reading without amendments and completing the legislative process.

Afterwards, the legal texts will be published in the Official Journal of the EU.

Press contacts

Romain Sadet
Press officer
+32 22818914
+32 473865437

 

Share this article

Latest News from
EU News

EU increases humanitarian aid to Gaza by €25 million

07/11/2023 13:25:00

As part of the EU's continued support to people in Gaza, the Commission will provide a further €25 million in humanitarian aid. This quadruples EU humanitarian assistance to over €100 million for Gaza this year.

President von der Leyen marks the EU's commitment to the Partnership for Global Infrastructure and Investment (PGII) during the event hosted at the G20 in New Delhi

12/09/2023 15:25:00

President von der Leyen recently (09 September 2023) spoke at the G20 event on PGII hosted by Prime Minister Modi and President Biden.

Summer 2023 Economic Forecast: Easing growth momentum amid declining inflation and robust labour market

12/09/2023 13:25:00

The European Commission yesterday presented the Summer 2023 Economic Forecast

Climate change: Deal on a more ambitious Emissions Trading System (ETS)

20/12/2022 10:33:00

On Saturday night, MEPs and EU governments agreed to reform the Emissions Trading System to further reduce industrial emissions and invest more in climate friendly technologies.

EU and Ukraine sign €100 million for the rehabilitation of war-damaged schools *

20/12/2022 09:25:00

Exactly three months after President von der Leyen's announcement in her 2022 State of the Union Address, the European Commission and the Government of Ukraine have signed a €100 million support package for the reconstruction and rehabilitation of schooling facilities damaged in Russia's full-scale war of aggression against Ukraine.

NextGenerationEU: European Commission endorses positive preliminary assessment of Portugal's second request for €1.8 billion disbursement under the Recovery and Resilience Facility

19/12/2022 16:33:00

The European Commission recently (16 December 2022) endorsed a positive preliminary assessment of Portugal's payment request for €1.8 billion of grants and loans under the Recovery and Resilience Facility (RRF), the key instrument at the heart of NextGenerationEU.

'Fit for 55': Council and Parliament reach provisional deal on EU emissions trading system and the Social Climate Fund

19/12/2022 15:25:00

The Council and the European Parliament reached a provisional political agreement on important legislative proposals of the ‘Fit for 55’ package that will further reduce emissions and address their social impacts.

Ukraine: EU agrees ninth package of sanctions against Russia

19/12/2022 14:33:00

The Commission welcomes the Council's adoption of a ninth package of hard-hitting sanctions against Russia for its aggression against Ukraine. 

Council and European Parliament agree on new safety requirements for machinery products

19/12/2022 13:25:00

The Council and the European Parliament negotiators have reached a provisional agreement on the regulation for machinery products. The proposed legislation transforms the 2006 machinery directive into a regulation. 

Exclusive offers, deals and discounts available to public sector staff, past and present!