News and Events

Council of the European Union progress on new Data Protection Regulation

View profile for Paul Herbert
  • Posted
  • Author

On 15 June 2015 the Council of the European Union released their general approach on the draft Data Protection Regulation. This follows the European Commission and the European Parliament’s proposals which were published in 2012 and 2014 respectively. Readers will recall that the aim of the new legislation is twofold: (1) to enhance citizen’s data protection rights and (2) to increase business opportunities within the Digital Single Market.

Broadly there is consensus between the Commission, the Parliament and the Council on the following key proposals:

One Continent, One Law

Under Member States’ existing data protection laws there is significant divergence which means there is very little certainty for businesses. The Regulation will create a harmonised data protection framework for the European Union. Unlike an EU directive which requires national legislation to implement it, an EU regulation is directly enforceable in each Member State as soon as it is adopted. Therefore, rather than pan-European companies having to comply with the laws of 28 countries there will be one set of rules which are consistently applied across the entire EU. The Commission anticipates this single, pan-European law will have benefits of an estimated €2.3 billion per year.

The Regulation will introduce a ‘one-stop shop’ approach where companies only have to deal with the supervisory authority in their Member State rather than 28 different data protection authorities. The legislation will also create improved mechanisms for cooperation between data protection authorities. These reforms will provide legal certainty for businesses and they will greatly reduce red tape and notification processes for businesses and ensure faster decisions are reached. This should mean there are fewer disruptions to cross-border exchanges. It is hoped these improvements will particularly benefit small and medium enterprises.

Enhanced Rights and Protection for Citizens

Statistics from the Commission show that 90% of Europeans are concerned about data controllers collecting their data without their consent. The hope is that the Regulation will restore citizens’ trust and confidence in online services.

One of the main objectives of the Regulation is to give citizens more control over their personal data. The Regulation will require data controllers to obtain unambiguous consent from the individual before they are able to process their personal data. This means that data controllers will have to make privacy-friendly settings the default option for their products and services. If an individual decides to share their personal data then they will have to be provided with a privacy policy which is expressed in clear and plain language.

The new law will also give EU citizens the ‘right to be forgotten’. This means that if an individual wants their personal data to be removed from a data controller’s system then, unless there is a legitimate reason to retain the data, it should be erased. The Regulation expressly provides that this right should not encroach on the freedom of expression and information.

Under the ‘one-stop shop’ provisions citizens will be able to take a company processing their data to court in their own Member State regardless of where the business operates. This will provide citizens with greater access to judicial redress.

Non-EU Countries

Non-EU countries will also have to adhere to the Regulation and meet the required levels of protection of personal data if they operate in the European market. The ‘one-stop shop’ approach will benefit multinational organisations by also reducing the red tape involved in complying with EU law. Non-EU countries will only need to interact with the data protection authority in the member state of their EU headquarters or principal location.


The intention is that the national data protection authorities will be able to impose effective sanctions if the provisions of the Regulation are breached. The Council has proposed that breaches may incur fines of up to €1 million, or in the case of a company, 2% of the annual worldwide turnover of that company.

Looking Ahead

Negotiations between the three EU bodies begin now to resolve any differences between their proposals and agree the definitive content of the Regulation. It is unclear how long the deliberations will take with some optimistic forecasts predicting the process will be complete by the end of the year. The Council’s announcement and the start of negotiations undoubtedly mark a significant step towards the highly anticipated data protection reform.

This article was written by Paul Herbert, Partner, Media department with assistance from Freya Marks, trainee solicitor.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice.  If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.