Brussels, 17/12/2015 (Agence Europe) - On Thursday morning 17 December, the EP Civil Liberties Committee (LIBE) endorsed the informal agreement reached between the EP and Council on Tuesday 15 December on the “personal data protection” package (see EUROPE 11455).
MEPs adopted the general regulation on data protection by 48 votes in favour, 4 against and 4 abstentions, as well as the directive on processing personal data by the legal and police authorities by 53 votes in favour, 2 against, with no abstentions.
It should be pointed out, that the general rule on data protection applies to private and public companies and even foreign companies providing services in the EU. It also contains several innovations, such as the “non-ambiguous” consent rule for consumers agreeing for their data to be used, a right to forget and a right to remove data. Companies can be fined up to 4% of their overall annual turnover if they do not respect the rules. Companies must appoint a data protection supervisor if they process a large amount of personal data. SMEs are exempt (unless the data is at the centre of their activities). The regulation also sets an age limit for parental authorisations given by consumers to their children that go on social networks. This limit is flexible and set between 13 and 16 (the EP wanted an age limit of 13).
With regard to the directive affecting the police and criminal justice system, it seeks to comprehensively harmonise the 28 different law enforcement systems involved in the processing of data for the purposes of applying the law and minimum standards on the processing of data for police purposes. This directive is adopted for purposes relating to the prevention and detection of criminal offences, investigations and pursued in this field, as well as the introduction of criminal sanctions or protection against threats to public security and prevention. The general principles on the purposes of processing, the periods for conserving data and information rights for people affected, are also outlined.
It therefore stipulates that personal data must be processed legally and accurately, as well as be collected for explicit and legitimate purposes that have been agreed and cannot be processed in incompatible ways with these goals. Data must be appropriate, relevant and non-excessive with regard to the purposes that have been set out and must also be exact and, if necessary, updated and conserved in a way that allows for the identification of the persons involved for a period that does not exceed what is necessary for the purposes for which they have been collected. Exemptions are, however, included, to enable agents involved in the processing of data, to use this data for other purposes.
The directive also includes provisions on international transfers between the law enforcement agencies in third countries or in international organisations. These transfers will only be allowed if the European Commission has made a preliminary decision on the appropriateness of this action and with guarantees for the member states that the third country provides a level of personal data protection that is adequate and similar to the European system.
The package is expected to be approved in the plenary in March or April, explains the EP. It will also have to be formally approved by the Council of Ministers of the EU. Member states will then have two years to transpose the rules contained in the directive. (Original version in French by Solenn Paulic)