The Commission supports the political agreement reached between the European Parliament and the Council in informal trilogues on 15 December 2015, since the agreement is in keeping with the objectives of the Commission proposal.
The proposal for a regulation focuses on reinforcing individuals' rights, strengthening the
EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The new rules provide for the following:
· easier access to one's data: individuals will have more information on how their data is processed in a clear and understandable way;
· a "right to be forgotten": when an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted;
· the right to know when one's data has been hacked: companies must notify the supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures;
· a right to data portability: this will make it easier for individuals to transmit personal data between service providers.
The proposed regulation also supports the digital single market to realise its potential through:
· one continent, one law principle;
· a 'one-stop-shop' for businesses;
· a level playing field: companies based outside of Europe will have to apply the same rules when they offer goods or services on the EU market;
· technological neutrality: the regulation enables innovation to continue to thrive under the new rules.
The Commission notes that the agreement:
· maintains the nature of the legal instrument as proposed by the Commission, namely a regulation as opposed to a directive;
· ensures the necessary level of harmonisation while leaving room of maneouvre for Member States as regards the specifications of the data protection rules for the public sector;
· confirms the Commission approach as regards the territorial scope of the regulation which will also apply to controllers or processors established in a third country if they offer goods or services or monitor the behaviour of data subjects in the Union;
· strengthens the principles of data processing (e.g. data minimisation) and the rights of data subjects by enshrining a right to be forgotten and a right to portability and by further developing existing rights such as the right to information or the right of access;
· preserves and further develops the risk-based approach, which requires that controllers and, in some cases the processors, take into account the nature, scope, context and purposes of processing and the risks of varying likelihood and severity for the rights and freedoms of the data subject of such processing;
· provides that "one-stop-shop" mechanism is legally and institutionally sound, and maintains the key simplification element of having a single decision across the EU and a single interlocutor for business and for the individual;
· further clarifies and specifies the rules on international transfers;
· empowers supervisory authorities to impose financial sanctions for infringements of the Regulation, going up to 2 - 4% of the global annual turnover of an undertaking.
However, the Council position, contrary to the Commission proposal, does not consider the regulation as a development of the Schengen acquis. Therefore, the Commission considers that a statement in this regard is necessary. In that statement, the Commission considers, in particular, that as far as visas, border control and return are concerned, the general data protection regulation constitutes a development of the Schengen acquis for the four States associated with the implementation, application and development of said acquis.