European Council of Ministers in “historic step” for GDPR by end of 2015

V Jourova, European Commission describes progress on GDPR as an historic daySpeaking at a news conference a few hours ago, Věra Jourová, the European Union’s Commissioner for Justice, Consumers and Gender Equality announced that an “historic step” had been taken today as the European Council of Ministers reached agreement on the general approach on the General Data Protection Regulation (GDPR).

Latvia’s minister for justice Dzintars Rasnačs added: “We have moved a great step closer to modernised and harmonised data protection framework for the European Union. I am very content that after more than 3 years of negotiations we have finally found a compromise on the text and (GDPR)… will strengthen individual rights of our citizens and ensure a high standard of protection.”

What this means is that the Council of Ministers has political agreement on the basis of which it can now begin negotiations with the European Parliament with a view to reaching overall agreement on GDPR by the end of the year.

Negotiations with the European Parliament and the European Commission start as planned on 24 June 2015. For a complete picture of the roadmap, click here.

The European Parliament’s lead MEP on data protection regulation, Jan Philipp Albrecht (Greens DE) was equally optimistic that a deal on the final wording of GDPR could be achieved before the end of 2015.

“After over a year of stalling, it’s encouraging that we can finally push ahead with the EU General Data Protection reform and that Parliament can begin negotiations with the Council. The challenge is now to reconcile the two sides, to ensure that the reform provides reliable and high common standards of data protection, and reach an agreement on this before the end of the year.

“There are clearly differences, notably on consumer rights and the duties of businesses. However, if we can negotiate constructively and pragmatically, it should be possible to deliver a compromise acceptable to both sides within the timeframe. This outcome would benefit everyone and show that the EU takes the concerns of its citizens in the digital age seriously.”

In a news release issued today, the European Commission states that today’s general approach includes agreement from EU justice ministers on areas such as:

  • establishing a single set of rules on data protection, valid across the EU — with the aim of reducing the burden on businesses operating in the region, including by stripping out “unnecessary administrative requirements, such as notification requirements for companies”
  • strengthening existing rights such as the so-called ‘right to be forgotten’, and improving citizens’ rights to be informed if their data is hacked. There’s also support for a right to data portability to make it easier for users to transfer personal data between service providers
  • requirements that companies based outside the EU have to apply the same rules when offering services inside the EU
  • increased powers for national data protection authorities (DPAs) to enforce rules, including increased fines for data protection violations (of up to €100m or up to 2% of the global annual turnover)
  • the notion of a one-stop-shop “single supervisory authority” for data protection to streamline doing business and consumer protection for citizens was also something that the Council of Ministers accepted

But not everyone has been equally enthusiastic, saying that claims of a “big step forward” in agreeing modernizing EU data protection rules looks more like spin on the part of the European Commission, reports industry news site TechCrunch that is critical of the number of “carve outs” for how EU Member States can enact the Regulation based on the Council’s amendments to the proposals that have as yet to be agreed by the European Parliament.

“In other words, there looks to be so much dilution afforded by allowing Member States flexibility that both regulatory consistency and privacy protections have been significantly eroded in order to achieve agreement among ministers,” reports TechCrunch. However, negotiations don’t start until 24 June when the detail of reforms to be delivered by GDPR will be debated in trilogue negotiations.

Critics argue that the Council’s position on a number of articles in the draft GDPR agreed by the European Parliament would actually turn the clock back on protection afforded to citizens within the EU – such as the right to allow companies to collect and repeatedly use citizen’s personal information without their knowledge (Article 6.4) or allowing companies to transfer personal data to countries that don’t have rules or a mechanism in place to ensure the protection of this data (Article 38).

Full text of the Council of Ministers view of the GDPR can be accessed here, dated 11 June 2015 and runs to 200 pages in length.

What does look certain is the negotiations on the wording of the GDPR will be tough with the European Parliament and the European Commission acting as honest broker.

Civil Liberties Committee Chair Claude Moraes (S&D, UK), who will be chairing the talks with the Council of Ministers and European Commission observes:

“It’s now been over one year since the Parliament has adopted its mandate for the negotiations on the Data Protection Regulation proving its commitment to improving the standards of data protection. Since then, we have continually called for the Council to adopt its own position (“General Approach”) so that negotiations can begin to improve current legislation both for EU citizens and business. As it stands, EU legislation on data protection dates back to 1995, a time where internet access, smart phones or social media were not a part of daily life as they are today.

“Despite the difficult negotiations involved, the Parliament, led by the Rapporteur Jan Albrecht, will work towards finding a swift agreement on GDPR by the end of 2015 which will set out a robust, modern, consistent and higher level of protection for the years to come.

“As Chair of the Civil Liberties, Justice and Home Affairs Committee I would also urge the Council to ensure that they find agreement on the Data Protection Directive for law enforcement by October 2015 as the Parliament’s position has always been clear that we treat both proposals as a package,” he explained.

This was reinforced by the incoming Luxembourg Presidency that has indicated today that work on the directive in the law enforcement area will be accelerated.

Leave a reply