Ministers in the European Council have agreed on a general approach to data protection legislation, but some key issues over how companies can use consumer data are still up for debate.
This week the European Commission said that trialogue negotiations (three-way discussions) with the Parliament and the Council will start this month — with a “shared ambition” of reaching a “final agreement” by the end of 2015.
The deal will have major implications for citizens of EU countries and how their data is protected while using digital services.
It also will be of major importance to marketers in understanding the limitations of what they can do with the vast amounts of user data now available.
Although a compromise general approach was reached, most countries found fault with the text of the proposed General Data Protection Regulation.
Article 6(4) is one of the big sticking points. This article allows companies to change how and what they do with citizens’ data if they can show “legitimate interest”. Some countries, however, are concerned that “legitimate interest” is too vague and would leave the door open for companies to abuse personal information.
The European Parliament gave its backing to proposed new data protection rules back in March 2014. However the agreement reached by the Council introduces plenty of amendments and rewrites to those earlier proposals. (The full text endorsed by ministers can be found here.)
The EC states that today’s general approach includes agreement from EU justice ministers on areas such as:
• establishing a single set of rules on data protection, valid across the EU — with the aim of reducing the burden on businesses operating in the region, including by stripping out “unnecessary administrative requirements, such as notification requirements for companies”
• strengthening existing rights such as the so-called ‘right to be forgotten’, and improving citizens’ rights to be informed if their data is hacked. There is also support for a right to data portability to make it easier for users to transfer personal data between service providers
• requirements that companies based outside the EU have to apply the same rules when offering services inside the EU
• increased powers for national data protection regulators to enforce rules, including increased fines for data protection violations (of up to €1 million or up to 2% of the global annual turnover)
• the notion of a one-stop-shop “single supervisory authority” for data protection to streamline doing business and consumer protection for citizens
The UK, represented by Lord Faulks, supported the general approach but raised concerns on the one-stop-shop and the right to be forgotten.
In two parallel statements, one each from the European Parliament and Commission, the two bodies agreed the approach trilogue negotiations will take to thrash-out the final Data Protection Regulation.
Several other countries raised a number of concerns, including on Article 6.4 on legitimate interest and the scope of the Regulation. All these concerns will be taken into account during the trilogue process.
Andrus Ansip, vice-president for the Digital Single Market, said: “I feel very encouraged by this positive step towards improved and harmonised data protection rules. Data Protection is at the heart of the Digital Single Market; it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing.”
Vera Jourová, commissioner for justice, consumers and gender equality, described the agreement as an important step forward and a good basis for the trilogues. She is confident that negotiations can be completed this year, and that the Regulation will be a key building block of the digital single market, good for business and citizens.
“Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes. High data protection standards will strengthen consumers’ trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year,” she said.
The DMA Council’s position gives agreement with the Commission on the following:
• One continent, one law – the regulation will establish a single set of rules on data protection, valid across the EU. Companies will deal with one law, not 28. This will save businesses around €2.3 billion a year. In addition, the new rules will particularly benefit small and medium-sized enterprises (SMEs), reducing red tape for them. Unnecessaryadministrative requirements, such as notification requirements for companies, will be removed: this measure alone will save them €130 million per year.
• Strengthened and additional rights – the right to be forgotten will be reinforced. When citizens no longer want their data to be processed and there are no legitimate grounds for retaining it, the controller must delete the data, unless they can show that it is still needed or relevant. Citizens will also be better informed if their data is hacked. A right to data portability will make it easier for users to transfer personal data between service providers.
• European rules on European soil – companies based outside of Europe will have to apply the same rules when offering services in the EU.
• More powers for independent national data protection authorities – those authorities will be strengthened in order to effectively enforce the rules, and will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
• The ‘one-stop shop’ – the rules will establish a ‘one-stop shop’ for businesses and citizens: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business across the EU. Individuals will only have to deal with their home national data protection authority, in their own language – even if their personal data is processed outside their home country.
The Parliament also welcomed the news.
British Labour MEP and Civil Liberties Committee chair Claude Moraes, and rapporteur Jan Philipp Albrecht from the German Greens called for agreement in trilogues by the end of 2015.
“After over a year of stalling, it is encouraging that we can finally push ahead with the EU data protection reform and that Parliament can begin negotiations with the Council. The challenge is now to reconcile the two sides, to ensure that the reform provides reliable and high common standards of data protection, and reach an agreement on this before the end of the year.
“There are clearly differences, notably on consumer rights and the duties of businesses. However, if we can negotiate constructively and pragmatically, it should be possible to deliver a compromise acceptable to both sides within the timeframe. This outcome would benefit everyone and show that the EU takes the concerns of its citizens in the digital age seriously,” said Albrecht.
Claude Moraes, who will be chairing the trilogues, called on the Council to agree the Data Protection Directive by October 2015 to allow the two proposals to be treated as a package.