Brussels, 16/12/2015 (Agence Europe) - In the evening of Tuesday 15 December, EP and EU Council of Ministers negotiators managed to reach agreement on the data protection package, particularly the draft general regulation on personal data, along with the directive on personal data processing by the police and penal system. A confirmation vote will take place on Thursday in the EP's civil liberties committee.
The two items of draft legislation were unveiled in January 2012 by the then Justice and Fundamental Rights Commissioner, Viviane Reding (see EUROPE 10538), the regulation replacing the current 1995 directive, and the directive replacing a framework-decision of 2008. The former Commissioner came forward with flagship measures such as the right to have online information deleted, which is included in the regulation, and fines on companies not complying with EU rules.
More than three and a half years later, the proposals backed by the negotiators on Tuesday evening have been the subject of a compromise on numerous occasions, but in the opinion of the German rapporteur for the general regulation, Jan Philipp Albrecht (Greens/EFA), the compromise still marks progress by paying the way for the conclusion of this long-awaited reform of the EU's data protection rules. The legislation, he said, would allow data protection systems to be set up at European level, replacing the current patchwork of national data protection rules and would therefore substantially improve consumer protection and competition, and would also ensure that the EU's data protection rules are well-adapted for the digital age.
The GUE/NGL also feels that major progress has been made, explained Germany's Cornelia Ernst, particularly the introduction of the concepts of privacy by design, and by default or by banning the transfer of personal data to services outside the EU when there are not international frameworks or treaties with the countries in question. Germany welcomed the fact that fines on offending companies can be as high as 4% of their global annual turnover.
Max Schrems, the Austrian student who has issued a number of court cases against Facebook and was the originator of the Safe Harbor ruling issued by the European Court of Justice on 6 October, expressed reservations, tweeting that the level of projection provided for Europeans was the equivalent of that provided by the old directive, “or lower.”
In practice, the new rules in the general regulation aim to provide to give consumers greater powers over the processing of their information, giving the right to give clear consent for the use of their personal data. In most cases, this consent has to be 'unambiguous' and involve a clear indication by the consumer of consent, for example by ticking a box. The consensus says that consent must be explicit in the sense of being even clearer for more sensitive data such as ethnic origin.
Users will have the right to be deleted or to have their information corrected and the right to be forgotten, subject to certain conditions, as this right was felt during the negotiations to be difficult because of the possible implications for freedom of speech. The compromise states that users will be able to request that their details are deleted or no longer used if the objective for which it is being processed no longer has a connection with the user's objective when he initially consented to it.
When it comes to directive marketing, users should be able to opt out and be clearly informed of this right in advance. For later use of the information by companies for so-called legitimate interests, users should be able to challenge said use and the company would then have to prove that its interests are greater than the fundamental rights of the person in question,
The compromise should facilitate corporate life. SMEs will not now have to employ a data protection controller, apart from in a few special cases, such as when data protection is a key part of their business. SMEs were concerned about the cost of the measure initially put forward by Viviane Reding. Prior notification to the control authority has also been scrapped (it would have cost €130 million a year, Ed.) and the requirements on companies have been adjusted in line with the potential risk for privacy of the company's business, explains the Luxembourg Presidency. Notifications of serious violations of data protection rules to national control authorities and the users concerned are still compulsory.
Another new development is that through use of a 'one stop shop,' companies will have a single interlocutor, the data protection authority of the country where their headquarters in located. They will have to deal with this authority in the event of conflicts. Companies active in a number of European markets will no longer have to face a number of potentially contradictory decisions.
When it comes to the exchange of information among police and judicial authorities, the directive states that the rules shall apply both to the cross-border processing of personal information and to the processing of personal information by police and judicial authorities at the strictly national level. The agreement makes it possible for personal data to be transferred by the competent authorities to private bodies in specific circumstances in the case of terrorist attacks or emergencies. The directive also gives the police the right to restrict information about data it holds or access to the processed data. The Police will not be able to confirm or deny whether they are holding personal data in order to avoid being compromised during ongoing investigations. EUROPE will return to this. (Original version in French by Solenn Paulic)