Q&A: new EU rules on data protection put the citizen back in the driving seat 


New EU data protection legislation aims to create a uniform set of rules across the EU fit for the digital era, improve certainty as to the law and boost trust in the digital single market for citizens and businesses alike. Clear and affirmative consent to data processing, the right to be forgotten and tough fines for firms breaking the rules are some of the new features.

The European Parliament finalised more than four years of negotiations when MEPs passed the legislation in the Civil Liberties Committee on Tuesday 12 April, followed by a vote by the full house on Thursday 14 April.

The overhaul concerns two pieces of legislation: a general regulation on personal data processing in the EU and a directive on data processed by the police and judicial authorities. Together, these make up the data protection package.

The regulation will replace the EU data protection directive which dates from 1995, when the internet was still in its infancy. It will replace the current patchwork of national laws with a single set of rules designed to give citizens more control over their own private information in a digitised world of smart phones, social media, internet banking and global transfers. It also aims to improve certainty as to the law for businesses, so as to boost innovation and the future development of the digital single market. The data protection regulation will strengthen trust and provide for a high level of protection for all individuals across the EU in whatever circumstances their personal data are processed, except for law enforcement purposes (which are covered by the directive), and will also apply to firms outside Europe targeting EU consumers.

The data protection directive covers data processing by the police and criminal justice sector. It aims to ensure that the data of victims, witnesses, and crime suspects, are duly protected in criminal investigations and law enforcement actions. At the same time, more harmonised laws should also facilitate cross-border cooperation among police forces and prosecutors, enabling them to fight crime and terrorism more effectively across Europe.

After the Council formally approved the data protection package at its first reading on Friday 8 April, Parliament finally completed more than four years of negotiations that began when the Commission presented its proposals in January 2012. Parliament voted its first-reading position in March 2014, but had to wait for more than a year for member states to agree on their common negotiating position before the three-way-talks between Parliament, Council and Commission could begin in June 2015. In the case of the directive, the Council agreed a compromise on its negotiating mandate in October 2015.

An informal agreement was reached on 15 December 2015, and endorsed by Parliament and Council on 17 and 18 December respectively. Since then, Parliament has repeatedly called on the Council to finalise its work on the texts to allow the stronger data protection requirements to enter into force swiftly. In particular, a majority of MEPs has consistently stressed the urgent and indispensable need to guarantee a sufficient level of data protection, as set out by the data protection directive, before allowing the bulk collection of flight passenger data envisaged by the EU Passenger Name Record (PNR) directive, which is also to be put to a vote at the April Strasbourg session.

The plenary vote marked the final step in the legislative procedure. The data protection regulation will enter into force 20 days after its publication in the EU Official Journal, and become directly applicable in all member states two years after this date. Member states will also have two years to transpose the provisions of the directive into their national laws.