The core element of the Commission package is a general data protection regulation. This draft regulation updates and modernises the principles of the 1995 data protection directive. It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.
In December 2015, the Council and European Parliament reached an agreement on the draft regulation.
On 8 April 2016, the Council adopted its position at first reading. The draft regulation was then adopted by European Parliament on 14 April 2016.
The regulation addresses several fundamental issues.
It lists the rights of the data subject, that is the individual whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through:
It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.
It details the general obligations of the controllers and of those processing the personal data on their behalf (processors). These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform (risk-based approach). Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.
The draft regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level. It also aims to establish mechanisms to create consistency in the application of data protection law across the EU. In particular, in important cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This principle, known as the one stop shop, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
The draft agreement includes the setting up of a European Data Protection Board. This board would consist of representatives of all 28 independent supervisory authorities and would replace the existing Article 29 Committee.
It recognises the right of data subjects to lodge a complaint with a supervisory authority, as well as their right to judicial remedy, compensation and liability. To ensure proximity for individuals in the decisions that affect them, data subjects will have the right to have a decision of their data protection authority reviewed by their national court. This is irrespective of the member state in which the data controller concerned is established.
It provides for very severe sanctions against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover. These administrative sanctions will be imposed by the national data protection authorities.
It also covers the transfer of personal data to third countries and international organisations. To this end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal data may still take place in particular cases or when there are appropriate safeguards (standard data protection clauses, binding corporate rules, contractual clauses).