On January 25, 2012, the European Commission first proposed a new data protection framework to replace the rapidly decaying Directive of 1995. Yesterday, following a long day of trilogue negotiations, the European Parliament and Council announced they have reached an agreement to a consolidated text of a brand-new General Data Protection Regulation (GDPR).
It is, quite simply, a landmark moment in data protection and privacy, both in Europe and around the world.
The Luxembourg Presidency of the Council of the European Union called it “a historic agreement,” with Luxembourg Justice Minister Félix Braz calling it an “ambitious and forward-looking text. We can have full confidence in the result.”
This represents, said Green MEP and rapporteur Jan Philipp Albrecht, “a major step forward for consumer protection and competition and ensure[s] Europe has data protection rules that are fit for purpose in the Digital Age.”
European Commission Vice President Andrus Ansip said the agreement was vital for the Digital Single Market effort and “will remove barriers and unlock opportunities … Today’s agreement builds a strong basis to help Europe develop innovative digital services.”
There has been a great deal of lobbying—some estimate the most lobbying for any piece of European legislation in history—and there will continue to be, as advocate and industry groups attempt to still get parliamentarians to amend the draft before it is voted into law and published in the Official Journal of the European Union.
However, what we have now is likely to be very close to what is eventually published. Some of the major provisions of the 200-page document include:
• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.
• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.
• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.
• Many organizations will now be required to appoint a data protection officer, including all public bodies processing data, all companies where data processing is a “core” activity and all companies where sensitive data is processed on a “large scale.”
• The GDPR’s principles clearly state that personal data should only be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes,” a principle clearly referred to as “purpose limitation.” The text also introduces principles of “data minimisation,” “accuracy,” “storage limitation” and “integrity and confidentiality.”
• The GDPR introduces a formal idea of “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.
• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, to perform a task in the public interest or where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.”
• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time and will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing isn’t necessary to the actual performance of the contract.
• While the stated intent of the Regulation has long been to harmonize data protection law in the EU, there will still be variation from member state to member state: “To this extent, this Regulation does not exclude Member State law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful.”
• Children under the age of 16 will need to get parental approval to give consent unless the member state passes a law to lower the age no lower than 13.
• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.
• Controllers have to provide any information they hold about a data subject free of charge and within one month of request.
• A “right to erasure” is established, where controllers are required to delete personal data in a variety of cases, including if the data was collected when the data subject was still a child in need of parental consent or if the data collected falls into one of the sensitive categories. Even if the data has been made public already.
And that is just a beginning.
Already, any number of advocacy and industry groups have issued reactions, many of them disappointed with the final result of the GDPR.
The European Data Coalition declared that lawmakers have “stumbled at the finish line,” saying they have failed to “provide the progressive policy balance” needed, and specifically referring to the sanction levels as “crippling.”
The Industry Coalition for Data Protection, an umbrella group that includes DigitalEurope, the World Federation of Advertisers, the Software Alliance and a number of others, described the GDPR text as “a wrong turn,” with FEDMA Secretary General Sébastien Houzé declaring, “We are very concerned that investors will be scared off from investing in Europe and will build the next big thing in technology elsewhere, like Asia.”
Digital rights group EDRi isn’t completely satisfied, but “the bare essentials appear to have been salvaged from the lobby storm.” Executive Director Joe McNamee said, however, “there is little left of the initial ambition of the proposals.” The result, he said, “is that the overall package is less clear and less protective of personal data than it could—and should—have been. However, compared with the potentially disastrous positions taken by some of the European Parliament’s committees and by the EU Member States in the Council of the European Union general approach … the outcome is vastly better than it could have been.”
Similarly, Sophie in ‘t Veld, speaking for the ALDE Group in Parliament, celebrated the arrival of the compromise text, but, "Although we are happy with the overall result, we regret the fact that EU Governments managed to weaken the rights of users on a number of points. It is striking that our national governments behave more like the representatives of big industry and the secret services, than the custodians of fundamental rights and the rule of law."
Likely, more reaction will continue to build over the next days and weeks as the Parliament’s LIBE Committee first votes on the compromise text on Thursday and then, should it pass as expected, the full Parliament votes in January. Stay tuned for further coverage.
Photo credit: Photo of the trilogue negotiators posted by Jan Philipp Albrecht to his Twitter account.