Ministers from the EU agreed on Monday to begin negotiations with the European Parliament over a comprehensive update to the union’s data privacy rules.
The General Data Protection Regulation (GDPR) would give Europeans more rights in controlling what happens with their personal data, and give firms handling that data more responsibility for protecting it.
After agreeing a compromise common position on the GDPR draft, member states gave the Latvian Presidency of the Council of the EU the mandate to commence so-called trilogue negotiations. The Latvian presidency only has two weeks left in its term, though, so the mandate will then pass to negotiators from Luxembourg.
“We all understand this is a compromise we have on our tables, but it is a good and workable compromise,” Věra Jourová, the European commissioner for justice, consumers and gender equality, told the assembled ministers, adding that the aim was to create “futureproof” legislation.
The regulation’s predecessor has lasted two decades, so far. The European Commission proposed the GDPR in 2012 as a replacement for the Data Protection Directive of 1995, and the European Parliament passed it with amendments last year.
As it is a regulation rather than a directive, member states would have less flexibility in how they apply the new law nationally, meaning a higher level of harmonization across countries.
The regulation would force companies processing personal data to prove that the data subjects have given their explicit consent. Multinationals would need to appoint independent data protection officers to ensure compliance.
The potential fines for data protection violations could be as high as two percent of annual worldwide turnover. Depending on the company in question, this would be much higher than the fines that are currently levied.
For example, France is currently threatening Google over its alleged non-compliance in applying the so-called right to be forgotten. The country’s data protection regulator can only levy a maximum fine of €150,000. Google’s annual revenues for 2014 totaled €58.9 billion, two percent of which is €1.1 billion.
Providers of online services would have to make it easier for people to move their data to rival providers, and would also have to report serious data breaches to national authorities.
The status quo is, to all intents and purposes, inadequate for online data processors.
One of the most controversial aspects of the new regulation is that of liability for breaches. Under the current system, if a bank using a cloud provider to handle its customers’ data were to suffer a breach, the customer would only be able to sue the bank. Under the GDPR, the customer would be able to sue both the bank and the cloud provider.
Tech companies are deeply opposed to the change, arguing that it would increase legal uncertainty for the many new companies that are trying to find opportunities in the data-processing market, and therefore increase their insurance premiums.
Industry lobbying group DigitalEurope said in a statement that the regulation could “act as an obstacle to the digital economy” if it did not provide enough certainty for companies.
However, the European consumer rights body BEUC said the change would create more certainty for consumers. “The status quo is, to all intents and purposes, inadequate for online data processors,” BEUC spokesman John Phelan said. “We need clear provisions on liability, notification and remedies in order to have any kind of basic safeguards for consumers working online.”
Another contentious issue that will no doubt surface during the trilogue discussions is the right of citizens to have their data erased. The UK is concerned that this may clash with the right to free expression.
Ministers from Hungary, Poland, Austria and Slovenia expressed serious reservations about the compromise text during Monday’s meeting. “We wish all the best to the incoming presidency, Luxembourg,” Slovenian justice minister Goran Klemenčič said. “You have a lot on your plate.”
Digital rights group Access welcomed the impending negotiations, but complained that the Council’s text would not give citizens enough visibility into the collection and use of their data. “The Council seems to have overlooked the impetus behind the privacy reform effort as its approach deprives citizens of the ability to control their data,” Access European Policy Manager Raegan MacDonald said in a statement.
The first trilogue negotiation between the Latvian presidency and Parliament is expected to take place on June 24. If, as hoped by all the participants, the GDPR is finalized by the end of the year, it would take effect two years later.
[“source – politico.eu”]