The Council adopted its position at first reading with a view to the adoption of a general data protection regulation. The proposed regulation aims to reinforce data protection rights of individuals, facilitate the free flow of personal data in the single market and reduce administrative burden, and harmonise the data protection rules in the European Union.
The Council position at first reading maintains the objectives of Directive 95/46/EC: protection of data protection rights and the free flow of data. At the same time, it seeks to adapt the data protection rules currently in force in light of the ever-increasing volume of personal data that is processed as a result of technological change and globalisation.
The main points of the Council position at first reading are as follows:
Scope: the Council position provides that the general data protection regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of any structured set of personal data which are accessible according to specific criteria.
Furthermore, the Council position strengthens the accountability of controllers (responsible for determining the purposes and the means of the processing of personal data) and processors (responsible for processing personal data on behalf of the controller). It creates a level playing field for controllers and processors in terms of territorial scope by covering all controllers and processors irrespective whether they are established in the Union or not.
The main points in the Council position at first reading are as follows:
Principles relating to personal data processing: with a view to providing legal certainty, the Council position builds on the Directive 95/46 in specifying that processing of personal data is only lawful if at least one of the following conditions is fulfilled:
· the data subject has clearly and explicitly consented to the processing for one or more specific purposes; the Council Position provides for a specific protective regime for consent by children in relation to the offering of information society services;
· the processing is necessary for: (i) a contract; (ii) a legal obligation; (iii) protection of vital interests of the data subject or of another natural person; (iv) a task carried out in the public interest or in the exercise of official authority vested in the controller; (v) the legitimate interests pursued by a controller or by a third party.
The Council position:
· allows Member States to maintain or introduce more specific provisions which adapt the application of the rules of the regulation if personal data is processed for compliance with a legal obligation or is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· provides that processing for another purpose than the one for which the personal data has been originally collected is only lawful where that further processing is compatible with the purposes for which the personal data were originally processed.
Empowerment of data subjects: the Council position provides data subjects with reinforced data protection rights and by placing obligations on controllers. The rights of the data subject encompass:
· the right to information: controllers must provide information and communication in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed to a child;
· the right of access to personal data, i.e. the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where such personal data are being processed, access to the information listed in the regulation;
· the right to rectification;
· the right to erasure of personal data, including a "right to be forgotten";
· the right to restriction of processing;
· the right to data portability: data subjects have the right to receive the personal data concerning them, which they provided to a controller in a structured, commonly used, machine-readable and interoperable format and to transmit this data to another controller
· the right to object, and the right not to be subject to a decision solely based on automated processing, including profiling. It is specified that where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her.
Controller and Processor: the Council position establishes the legal framework for the responsibility and liability for any processing of personal data carried out by a controller or, on the controller's behalf, by a processor. In line with the principle of accountability, the controller is obliged to implement appropriate technical and organisational measures and be able to demonstrate the compliance of its processing operations with the regulation. The regulation lays down rules relating to the responsibilities of the controller concerning:
· impact assessments, where processing operations involve a high risk, for the rights and freedoms of individuals;
· keeping records of processing,
· data breaches,
· the designation of a Data Protection Officer, and
· codes of conducts and certification mechanisms.
Transfer of personal data to third countries or international organisations: the level of protection guaranteed by the Union must not be undermined if personal data of EU citizens are transferred outside the Union. As a general principle, any transfer of personal data to a third country or to an international organisation, may only take place if controllers and processors comply with the rules of the regulation.
Supervisory Authorities: each Member State must provide that one or more independent public authorities are responsible for monitoring the application of the regulation on their territory. Each supervisory authority and its members must act with complete independence, including with integrity, in performing the tasks and exercising the powers entrusted to that supervisory authority and its members.
European Data Protection Board: the Council position at first reading establishes the European Data Protection Board as body of the Union having legal personality with a view to ensuring a correct and consistent application of the regulation.
Remedies, liabilities and penalties: the regulation contains an elaborate set of rules that enables data subjects several avenues for remedies, including claiming compensation in case of damage as a result of infringement of the regulation.
In order to ensure compliance with the provisions of the regulation, the Council position provides that supervisory authorities can impose administrative fines, which go up to 20 million EUR or 4 % of the world-wide turnover of the infringer.