Statewatch.org have recently published a leaked copy of the European Council’s draft of the proposed new Data Protection Regulation and it makes for interesting reading.

The key provisions of the proposed Data Protection Regulation that should be noted are as follows:

(1) Fines of up to €1 million or 2 per cent of annual worldwide turnover will be imposed on companies for privacy breaches;

(2) Companies will be under an obligation to report data breaches to national data protection authorities and to the individual whose data is affected;

(3) Companies will also be under an obligation to conduct ‘data protection impact assessments’ if they process data in a way that poses a high risk to individuals’ privacy. If a company fails to comply with this obligation then they will be liable to the fines set out at (1) above;

(4) Companies will continue to be regulated by the national data protection authorities in the jurisdiction in which they are based but all EU citizens will have the right to bring data privacy complaints to data-protection authorities in their own countries under the “one stop shop” principle. Judgments made by national authorities can be referred to a new, EU-wide European board comprising data-protection authorities from all countries; and

(5) The so called ‘Right to be Forgotten’ right that emerged from the European Court of Justice’s ruling in the Costeja case last year is codified in the proposed Data Protection Regulation.

Next Steps

Ministers in the Justice Council of the European Union have last week sealed a general approach on the Commission proposal on the Data Protection Regulation. Negotiations with the Parliament and the Council will start in late June and the expectation is that a final agreement will now be reached by the end of 2015. We will be keeping a close eye on development in this sphere and will have further updates on the blog.