PURPOSE: to protect individuals with regard to the processing of personal data and on the free movement of such data.
PROPOSED ACT: Regulation of the European Parliament and of the Council.
BACKGROUND: the centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters.
The current legal framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity.
This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market.
Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy.
This proposal further details the approach for the new legal framework for the protection of personal data in the EU as presented in its Communication on this issue.
The legal framework consists of two legislative proposals:
IMPACT ASSESSMENT: the impact assessment was based on the three policy objectives of improving the internal market dimension of data protection, making the exercise of data protection rights by individuals more effective and creating a comprehensive and coherent framework covering all areas of Union competence, including police co-operation and judicial co-operation in criminal matters.
Three policy options of different degrees of intervention were assessed:
The analysis of the overall impact led to the development of the preferred policy option which is based on the second option with some elements from the other two options and incorporated in the present proposal. According to the impact assessment, its implementation will lead inter alia to considerable improvements regarding legal certainty for data controllers and citizens, reduction of administrative burden, consistency of data protection enforcement in the Union, the effective possibility of individuals to exercise their data protection rights to the protection of personal data within the EU and the efficiency of data protection supervision and enforcement.
LEGAL BASIS: Article 16(2) and Article 114(1) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the proposed Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data. It protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. It main provisions are as follows:
Principles: the proposal sets out the principles relating to personal data processing. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller. It also sets out the criteria for lawful processing, which are further specified as regards the balance of interest criterion, and the compliance with legal obligations and public interest. It clarifies the conditions for consent to be valid as a legal ground for lawful processing and sets out further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them.
Rights of the data subject: the proposal introduces the obligation on controllers to provide transparent and easily accessible and understandable information. It obliges the controller to provide procedures and mechanism for exercising the data subject's rights, including means for electronic requests, requiring response to the data subject's request within a defined deadline, and the motivation of refusals.
In addition, the proposal:
General obligations: the proposal takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance. It sets out the obligations of the controller arising from the principles of data protection by design and by default. It introduces for controllers and processors: (i) the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the supervisory authority; (ii) the obligation to implement appropriate measures for the security of processing; (iii) an obligation to notify personal data breaches; (iv) the obligation of controllers and processors to carry out a data protection impact assessment prior to risky processing operations.
Data protection officer: the proposal introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.
Transfer of personal data to third countries or international organisations: the proposal spells out, as a general principle, that the compliance with the obligations in that chapter are mandatory for any transfers of personal data to third countries or international organisations, including onward transfers. It sets out the criteria, conditions and procedures for the adoption of an adequacy decision by the Commission. The criteria which shall be taken into account for the Commissions assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The proposal requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses.
Independent supervisory authorities: the proposal obliges Member States to establish supervisory authorities and to enlarge the mission of the supervisory authorities to co-operation with each other and with the Commission. It clarifies the conditions for the independence of supervisory authorities, implementing case law by the Court of Justice of the European Union.
Co-operation and consistency: the proposal introduces explicit rules on mandatory mutual assistance, including consequences for non-compliance with the request of another supervisory authority. It introduces a consistency mechanism for ensuring unity of application in relation to processing operations which may concern data subjects in several Member States.
The proposal also establishes the European Data Protection Board, consisting of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor.
The European Data Protection Board replaces the Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up under Article 29 of Directive 95/46/EC.
Remedies, liability and sanctions: the proposal provides: (i) for the right of any data subject to lodge a complaint with a supervisory authority, (ii) that the bodies, organisations or associations which may lodge a complaint on behalf of the data subject and also in case of a personal data breach independently of a data subject's complaint; (iii) for the right to a judicial remedy against a supervisory authority; (iv) the data subject may launch a court action for obliging the supervisory authority to act on a complaint; (v) the right to a judicial remedy against a controller or processor; (vi) for the introduction of common rules for court proceedings, including the rights of bodies, organisations or associations to represent data subjects before the courts, and the right of supervisory authorities to engage in legal proceedings; (vii) for the Member States to provide for the right to compensation and lay down rules on penalties, to sanction infringements of the Directive, and to ensure their implementation.
BUDGETARY IMPLICATIONS: the specific budgetary implications of the proposal relate to the tasks allocated to the European Data Protection Supervisor as specified in the legislative financial statements accompanying this proposal. These implications require reprogramming of Heading 5 of the Financial Perspective. The total appropriations are estimated at EUR 24.339 million for 2014-2020. The proposal has no implications on operational expenditure.
DELEGATED ACTS: this proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union.
The Council discussed the future of EU development policy and adopted conclusions on "Increasing the impact of EU development policy: an Agenda for Change".
The rapidly changing global environment and the new international architecture require a more comprehensive, responsive and effective approach to external action and development policy. The Council set out a renewed EU approach to development policy whereby the EU is to focus in the future on those countries and sectors where it can have the greatest impact. These new principles will guide EU financial instruments for external action under the next Multiannual Financial Framework for 2014-2020, and in particular the new development cooperation instrument.