On 15 December 2015, the Luxembourg Presidency of the Council of the European Union reached an informal agreement in trialogues with the European Parliament on the 'Data Protection' Package which will set out new European rules on privacy in the digital age.
The agreement reached by the Luxembourg Presidency will have to be confirmed at the level of the Council of the EU by the 28 Member States, and will be addressed by a Coreper meeting to be held before 21 December 2015.
The 'Data Protection' Package, under negotiation since the European Commission put forward the proposal in January 2012, includes a Regulation establishing the general framework for the protection of personal data and a Directive on the protection of personal data processed for the purpose of law enforcement.
Following the adoption of general approach on the Regulation in the JHA Council of June 2015 and the adoption of a general approach on the Directive in the JHA Council of October 2015, the co-legislators ─ the European Parliament and Council of the European Union acting under the Luxembourg Presidency ─ have been engaged in intense negotiations in order to reach an agreement before the end of 2015.
Félix Braz, Luxembourg's Minister for Justice and President of the Council, declared: 'It is a fundamental agreement with significant consequences. This reform not only strengthens the rights of citizens, but also adapts the rules to the digital age for companies, whilst reducing the administrative burden. They are ambitious and forward-looking texts. We can have full confidence in the result.'
The Regulation: New rules adapted to the digital age
The work carried out during the trialogues since June 2015 on the Regulation has made it possible to produce a balanced text. While individuals will benefit from enhanced control over their personal data, companies will also see their needs with regard to the processing of data taken into account in order to avoid any obstacles to economic development in the digital age. Xavier Bettel, Luxembourg's Prime Minister and Minister for Communications and the Media stated: 'The right to protection of personal data and the needs of the digital economy with regard to data are not incompatible. This reform allows us to succeed in squaring the circle.'
New elements of the agreement on the Regulation:
- A strengthening of the rights of citizens: for example, the possibility of contesting targeted online advertising and the possibility of transferring personal data from one online service to another (social networks, for example);
- A reduced administrative burden for companies: for example, the requirement of prior notification of a supervisory authority is abolished and obligations imposed on companies are adjusted on the basis of the potential threat to privacy which may be caused by the activities of the company in question;
- Enhanced cooperation between the national authorities of the 28 Member States in order to apply a single set of rules: for example, companies active in several European markets should no longer be subject to conflicting decisions;
- Harmonised rules within the European Union applicable to all actors operating in the European Union: the same level of protection will be applicable for all European citizens, even if their personal data is processed by companies established outside of the European Union.
A two-year timescale for the application of the Regulation is provided for from its entry into force.
The Directive: Increased exchange of data between police and judicial authorities
The Luxembourg Presidency can also claim to have successfully dealt with two challenges with regard to the Directive: following the general approach adopted in the JHA Council of October, the conclusion of the case during the trialogues demonstrates the priority accorded to it by the Luxembourg Presidency.
The Directive seeks to guarantee increased protection of personal data and to facilitate the exchange of data between law enforcement authorities within the European Union.
New elements of the agreement on the Directive:
- The Directive will apply to the cross-border processing of personal data, as well as to the processing of personal data by police and judicial authorities at strictly national level. Accordingly, police and judicial authorities should no longer apply different rules according to the origin of the personal data.
- Transferring personal data from competent authorities to private entities will be possible under specific conditions. It constitutes a legal framework that will enable police authorities to take swift action in cases of a terrorist attack or other emergencies.
- As well as protecting the rights of individuals, the Directive makes it possible for police authorities to limit both the information held in on the data and access to the processed data. The framework allows for police authorities to neither confirm nor deny whether they are in possession of personal data in order to avoid compromising ongoing investigations.