Landmark EU Privacy Regulation Final Text Agreed

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Dec. 15 — European Union negotiators Dec. 15 concluded nearly four years of talks on final text of a new data protection framework law by provisionally agreeing that companies that violate privacy rules could pay fines of up to 4 percent of their global revenues.

Negotiators from the European Parliament and the Council of the EU, which represents the governments of the 28 member states, also resolved final outstanding issues on data subject consent for the processing of their personal data and the responsibility of data processors to appoint data protection officers.

Jan Philipp Albrecht, the European Parliament's rapporteur, or lead negotiator, on the new General Data Protection Regulation, said in a statement that setting the level of fines at 4 percent of global revenues of companies “could imply billions of euros for the major global online corporations” if they violated the regulation.

The 4 percent level of fines was closer to the 5 percent level wanted by the European Parliament in its position on the data protection regulation—which it approved in March 2014—than to the position of the council—agreed in June 2015—which was that penalties could be up to 2 percent of global revenues.

“These new pan-European rules are good for citizens and good for businesses,” European Commissioner for Justice, Consumers and Gender Equality Justice Vera Jourova said in a statement.

Provisional Approval

The European Commission, the EU's executive arm, proposed the General Data Protection Regulation (GDPR) in January 2012 to replace the EU's now over 20-year-old Data Protection Directive (95/46/EC).

The agreement on a text of the draft EU data protection regulation is provisional, pending approval by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), which voted in favor of the compromise text Dec. 17 (see related report) (243 Privacy Law Watch, 12/18/15). The Council of the EU is scheduled to formally approve the text Dec. 18.

Assuming approval by the council, the provisional agreement between the parliament and council would be put to a vote of the full European Parliament early in 2016.

The text of the compromise agreement between the parliament and council wasn't made available immediately after the announcement of the final text agreement.

EU officials Dec. 14 released the nearly final text of the GDPR as it stood before the final negotiations with the items to be resolved highlighted in yellow.

Parental Consent

On the issue of consent, Albrecht said that parliament and council negotiators agreed that data subjects “will have to give explicit consent for their data to be used.”

Data protection officers would have to be appointed by companies “if they are handling significant amounts of sensitive data or monitoring the behavior of many consumers,” he said.

One surprise issue that arose late in the negotiations was parental consent for the processing of the data of their children.

Council negotiators inserted provisions in the agreed text that would allow EU member states to set the age at which parental consent is required at up to age 16.

“The European Parliament had proposed that the age at which users can consent to the use of their data by parental agreement be set at 13, but EU governments opposed this,” Albrecht said.

Sue Foster, a member at Mintz Levin in London, told Bloomberg BNA that the parental consent requirements for children up to 16 “to access to information society services is a significant development.”

“Until now this has been a matter for national law,” Foster said.

A potential parental consent requirement for children under 16 in some countries is seen as potentially obstructing the access of children to social media sites, such as Facebook or Instagram.

In the U.S. the Children's Online Privacy Protection Act allows children over the age of 13 to give online consent.

Fines Are an Enforcement ‘Big Stick'

On fines, Foster said that “data protection authorities will finally have a ‘big stick’ to back up their decisions,” although the 4 percent maximum level of fines was “not surprising” as a compromise between the parliament and council positions.

Jorg Hladjk, counsel with Hunton & Williams LLP in Brussels, told Bloomberg BNA that it remains unclear how much discretion data protection authorities would have over the issuing if sanctions, and what levels of fines would be applied for different privacy violations.

Foster added that provisions on data protection officers “will require further interpretive guidance from the EU with respect to the meaning of ‘core activities’.”

The European Commission said in a statement Dec. 15 that small and medium-sized companies “are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.”

Foster said “virtually all companies with employees process special categories of data relating to their employees in the course of administering employee benefits and for other employment-related purposes. Are those core activities?”

Right to Be Forgotten, Other Provisions

The provisionally agreed text of the regulation also includes previously agreed upon provisions on data portability, data breach notification and a supervisory system based around the concept of the “one-stop-shop,” meaning that EU data subjects can make complaints to their national data protection authority, which will work with other authorities to resolve the complaint, even if the complaint concerns a data processor in another EU country.

The commission, added that the regulation would also ensure that “companies based outside of Europe will have to apply the same rules when offering services in the EU.”

A “right to be forgotten” has also been included in the regulation, meaning “when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted,” the commission statement said.

Law Enforcement Directive

Parliament and council negotiators also provisionally agreed to adopt a companion law enforcement directive Dec. 15.

The directive will set minimum common standards for EU countries for the processing of personal data as part of criminal investigations.

Sophie in ’t Veld, a Dutch liberal lawmaker in the European Parliament, said in a statement that “until now there were hardly any European data protection rules governing the cross-border action of police and intelligence services; this package will fill this gap.”