Legal provisions of COM(2016)214 - Communication to the EP concerning the Council's position on the General Data Protection Regulation

Please note

This page contains a limited version of this dossier in the EU Monitor.

EUROPEAN COMMISSION

Brussels, 11.4.2016

COM(2016) 214 final

2012/0011(COD)

COMMUNICATION FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT

pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

concerning the

position of the Council on the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)
and repealing Directive 95/46/EC


2012/0011 (COD)

COMMUNICATION FROM THE COMMISSION
TO THE EUROPEAN PARLIAMENT

pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

concerning the

position of the Council on the adoption of a Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)
and repealing Directive 95/46/EC

1. Background

Date of transmission of the proposal to the European Parliament and to the Council
(document COM(2012) 11 final – 2012/11 COD):
25 January 2012;
Date of the opinion of the European Economic and Social Committee:

SOC/455 EESC-2012-1303
23 May 2012.
Date of the position of the European Parliament, first reading:12 March 2014.
Date of transmission of the amended proposal:N/A.
Date of adoption of the position of the Council:8 April 2016.

2. Objective of the proposal from the Commission

Directive 95/46/EC 1 , the central legislative instrument for the protection of personal data in Europe, was a milestone in the history of data protection. Its objectives, to ensure a functioning Single Market and effective protection of the fundamental rights and freedoms of individuals, remain valid. However, it was adopted 21 years ago when the internet was in its infancy. In today's new, challenging digital environment, existing rules provide neither the degree of harmonisation required, nor the necessary efficiency to ensure the right to personal data protection.

Against this background the Commission proposed on 25 January 2012 a Regulation intended to replace Directive 95/46/EC and which is setting out a general EU framework for data protection. The proposal for a Regulation modernises the principles of the 1995 Directive, tailoring them for the digital age and harmonising the data protection law in Europe. Strong data protection rules are necessary to rebuild the trust of individuals in how their personal data is being used.

The proposal for a Regulation focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.

The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people's personal information is protected – no matter where it is. The new rules address these concerns through

• Easier access to one's data - individuals will have more information on how their data is processed in a clear and understandable way;

• A 'right to be forgotten' - when an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;

• The right to know when one's data has been hacked - companies must notify the supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures;

• A right to data portability – this will make it easier for individuals to transmit personal data between service providers.

The proposed Regulation also supports the Digital Single Market to realise its potential through:

• One continent, one law: a single, pan-European law for data protection, replacing the current inconsistent patchwork of 28 national laws;

• One-stop-shop: a one-stop-shop for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU;

• A a level playing field - today European companies have to adhere to stricter standards than companies established outside the EU but also doing business in our Single Market. With the reform companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market;

• Technological neutrality: the Regulation enables innovation to continue to thrive under the new rules.

Finally, the proposed Regulation provides that supervisory authorities will be able to fine undertakings that do not comply with EU rules up to 2% of their global annual turnover.

3. Comments on the position of the Council

The position of the Council reflects the political agreement reached between the European Parliament and the Council in informal trilogues on 15 December 2015, subsequently endorsed by the Council on 8 April 2016.

The Commission supports this agreement since it is in keeping with the objectives of the Commission proposal.

The agreement maintains the nature of the legal instrument as proposed by the Commission, namely a Regulation as opposed to a Directive which would then require transposition into 28 national legal systems. It also ensure the necessary level of harmonisation while leaving a room of maneouvre for Member States as regards the specifications of the data protection rules for the public sector.

The Council position confirm the Commission approach as regards the territorial scope of the Regulation which will also apply to controllers or processors established in a third country if they offer goods or services or monitor the behaviour of data subejcts in the Union.

The agreement, in keeping with the Commission approach, strengthens the principles of data processing (e.g. data minimisation) and the rights of data subjects by enshrining a right to be forgotten and a right to portability and by further developping existing rights such as the right to information or the right of access.

The agreement also preserves and further develops the risk-based approach already present in the Commission proposal and which requires that controllers and, in some cases the processors, to take into account the nature, scope, context and purposes of processing and the risks of varrying likelihood and severity for the rights and freedoms of the data subject of such processing. Moreover, the agreement reached on the 'one-stop-shop' mechanism is legally and institutionally sound, and brings significant added value for companies and data subjects. The mechanism will rely on the principle of the 'best placed authority' to take the decision and it will focus only on cases with an important cross-border dimension. The outcome in Council maintains the key simplification element of having a single decision across the EU and a single interlocutor for business and for the individual.

The agreement also further clarifies and specifies the rules on international transfers as regards, for example, the criteria to be taken into account for assessing the level of protection in a third country or the instruments that can provide for appropriate safeguards for international transfers.

The Council position empowers supervisory authorities to impose financial sanctions for infringements of the Regulation, going up to 2 - 4% of the global annual turnover of an undertaking.

Finally, the Council position contrary to the Commission proposal does not consider the Regulation as a development of the Schengen acquis. Therefore, the Commission considers that a statement in this regard is necessary.

4. Conclusion

The Commission supports the results of the inter-institutional negotiations and can therefore accept the Council's position at first reading.

5. Statement by the Commission - Schengen relevance of the Regulation

"The Commission regrets the change to its initial proposal through the deletion of recitals 136, 137 and 138 related to the Schengen acquis. The Commission considers that in particular as visas, border control and return are concerned, the General Data Protection Regulation constitutes a development of the Schengen acquis for the four States associated with the implementation, application and development of said acquis."

(1) Directive 95/46/EC on the protection of individuals with regard to the protection of personal data and on the free movement on such data, OJ L 281, 23.11.1995, p. 31.