Political agreement reached on the EU DP Regulation and Directive

Yesterday, the EU Council, European Parliament and European Commission negotiators agreed the data protection package – the general DP Regulation and the so-called ‘Police’ Directive. The next step is a confirmation vote at the European Parliament’s Civil Liberties Committee tomorrow, 17 December, followed by a vote in the Parliament as whole in the new year. The Council will also have to formally adopt the proposal – this is expected at the beginning 2016. The new rules will become applicable two years thereafter.

"[Today's] negotiations hopefully have cleared the way for a final agreement," Jan Philipp Albrecht, the Parliament’s rapporteur said. "In future, firms breaching EU data protection rules could be fined as much as 4% of annual turnover - for global Internet companies in particular, this could amount to billions. In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers."

"Unfortunately, Member States could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, Member States will now be free to set their own limits between 13 and 16 years," he concluded.

The Regulation, which applies both to “controllers” and “processors”, introduces the One-Stop-Shop: businesses will only have to deal with one single supervisory authority. Notification will be scrapped and accountability measures introduced. Importantly, companies based outside Europe will have to apply EU rules when offering services in the EU. A duty to notify Data Protection Authorities of data breaches and a right to data portability are included in the new consensus.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said, "These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market.”

Phil Lee, Head of Fieldfisher’s US Office in Silicon Valley said: "This is the most significant development in data protection that Europe, possibly the world, has seen over the past 20 years. Forget Safe Harbor and Right to be Forgotten – this is much, much more significant."