New EU data protection law looms near, but are security teams ready?
New EU data protection law looms near, but are security teams ready?

The General Data Protection Regulation (GDPR), the successor to the 1995 Data Protection Directive, was first proposed by the European Commission three-and-a-half years ago, and after various rewrites in EU parliament chambers, now appears to be on the home straight to becoming law.

Yesterday, 28 ministers in the Justice Council agreed to adopt a “general approach” on the Commission's proposal on the regulation.

“Trilogue negotiations with the Parliament and the Council will start in June; the shared ambition is to reach a final agreement by the end of 2015,” read a press release announcing the news.

Key features of the regulation include the ‘One Stop Shop' rule – where companies will have to deal with a single set of rules on data protection rather than 28 covering each EU member state, the right to data portability and the ‘right to be forgotten', although the Council notes that that the latter is “not an absolute right”.

Meanwhile, the Council's view is that data breach fines should be capped at two percent (or a maximum of €1 million) of global annual turnover, rather than previous declarations from the European Parliament that they should go up to five percent (or €100 million). If it were capped at two percent, it would be good news for the ICO which recently hinted it has no intention of handing out huge fines.

Elsewhere, the GDPR stipulates that data breaches will need to be reported within 72 hours, large firms will need to hire data protection officers and all the proposals will apply to non-EU companies that offer services to EU customers. 

Andrus Ansip, vice president for the Digital Single Market, said: "I feel very encouraged by this positive step towards improved and harmonised data protection rules. Data Protection is at the heart of the Digital Single Market; it builds a strong basis to help Europe make better use of innovative digital services like big data and cloud computing."

Věra Jourová, commissioner for justice, consumers and gender equality said: "Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes. High data protection standards will strengthen consumers' trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year."

William Long, partner at Sidley Austin, said in an email to “Europe's Council of Ministers has agreed to a proposed EU Data Protection Regulation that, if adopted, will have a very significant impact on businesses in the EU and those internationally, including in the US, that do business in the EU.

“This regulation has a raft of new requirements, such as appointing data protection officers, and new rights, including a right of erasure,  as well as fines for non-compliance of up to 5 percent of annual worldwide turnover (gross revenue).

“Negotiations will now commence between the Council, the Commission and the European Parliament and the Regulation is widely expected to be adopted by the end of 2015 or early 2016.”