New EU data protection legislation, informally agreed on Tuesday and backed by Civil Liberties MEPs on Thursday morning, will create a uniform set of rules across the EU fit for the digital era. It should also improve legal certainty and boost trust in the digital single market for citizens and businesses alike. Clear and affirmative consent to data processing, the right to be forgotten and strong fines for firms breaking the rules are some of the new features.
"The new rules will give users back the right to decide on their own private data”, said Parliament's lead MEP on the regulation, Jan Philipp Albrecht (Greens, DE). "At the same time, the new rules will give businesses legal certainty and chances for competition. It will create one single common data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market", he added.
The informal agreement reached by Parliament and Council on Tuesday evening was backed by 48 votes to 4, with 4 abstentions.
The new rules will replace the EU's current data protection laws which date from 1995, when the internet was still in its infancy, and give citizens more control over their own private information in a digitised world of smart phones, social media, internet banking and global transfers. At the same time they aim to ensure clarity and legal certainty for businesses, so as to boost innovation and the further development of the digital single market.
The new rules include provisions on:
- clear and affirmative consent to the processing of private data by the person concerned, so as to give consumers more control over their private data. This could for example mean ticking a box when visiting an Internet website or by another statement or action clearly indicating acceptance of the proposed processing of the personal data. Silence, pre-ticked boxes or inactivity will thus not constitute consent. It should also be as easy for a consumer to withdraw consent as to give it
- kids on social media: children below a certain age will need to get their parents' permission ("parental consent") to open an account on social media such as Facebook, Instagram or Snapchat, as is already the case in most EU countries today. The new, flexible rules ensure that member states can set their own limits, provided these are between the 13th and 16th birthdays, thus giving them the freedom to maintain those they already apply.
This flexibility was included at the pressing request of member states. Parliament’s negotiators would have preferred an EU-wide age limit of 13 years.
- right to be forgotten: Consumers will thus have the "right to be forgotten" or erased from the databases of companies holding their personal data, provided there are no legitimate grounds for retaining it,
- the right to know when your data has been hacked: companies and organisations will be required to notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures,
- plain language: MEPs insisted that the new rules must put an end to “small print” privacy policies. Information should be given in clear language before the data is collected,
- fines of up to 4% of firms' total worldwide annual turnover should constitute a real deterrent to breaking the rules,
- firms will have to appoint data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers. Firms whose core business activity is not data processing will be exempt from this obligation so as to avoid red tape,
- one-stop-shop for complaints and enforcement: national Data Protection Authorities (DPAs) will be enhanced to become a first instance body where citizens can complain about data breaches. Cooperation among the DPAs will also be significantly strengthened to ensure consistency and oversight.
On Monday 21 December at 14.00 there will be a joint press conference on the data protection package with Ms Marju Lauristin (S&D, EE), Mr Jan Philipp Albrecht (Greens/EFA, DE - rapporteur on the regulation), Commissioner Vera Jourová and justice minister Félix Braz for the Luxembourg Presidency of the Council.
The informal agreement on the regulation will be voted by the full house in spring 2016 (probably March or April).
After the entry into force of the regulation, member states will have two years to apply its provisions.
Note to editors
According to a recent Eurobarometer survey only a minority of the respondents (15%) feel they have complete control over the information they provide online; 31% think they have no control at all ( Data Protection Eurobarometer, June 2015). In the same survey, two-thirds of respondents (67%) say they are concerned about not having complete control over the information they provide online.
The European Commission presented its proposal for an overhaul of EU data protection rules in January 2012. On 21 October 2013, after a year and a half of negotiations, consultations with four parliamentary committees and a record number of 3,999 amendments tabled, Parliament's Civil Liberties Committee adopted its position which would form the basis for the negotiations with the member states.
The position was confirmed by the Plenary on 12 March 2014. On 15 June 2015 member states approved their negotiation position. Already the following week, on 24 June, the three-way-talks between Commission, Council and Parliament began.