The agreement has been reached… #GDPR “IS” under the Christmas tree!

By | Wednesday December 16th, 2015

On Tuesday (December 15, 2015) evening, after nearly four years since the Commission tabled its proposal (in January 2012), the European Institutions (European Commission, European Parliament, Council of the European Union) during the last trilogue meeting have finally reached a deal on the (new) Data Protection Regulation.

First of all, to point out some relevant key issues of the agreement, let’s have a look to what Jan Albrecht (Parliament’s rapporteur on the General Data Protection Regulation) stated.

  • Jan Albrecht – Parliament’s rapporteur on the General Data Protection Regulation (European Parliament)

Replacing a “patchwork” of national data protection rules
The legislation will create an EU-wide data protection regime for the first time, replacing the outdated patchwork of national data protection rules. This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age.

Fines of up to 4% of revenue
Firms contravening the data protection regulation would face fines of up to 4% of revenue, which could imply € billions for the major global online corporations.

Data Protection Officer
“Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.”

Data Transfer
“The new rules will give users back the right to decide on their own private data. Businesses that have accessed users’ data for a specific purpose would not be allowed to transfer the data without the user being asked. Users will have to give explicit consent for their data to be used.”

Parental Consent at 16 for children wishing to use information society services
“The European Parliament had proposed that the age at which users can consent to the use of their data by parental agreement be set at 13 but EU governments opposed this and, instead, the matter will be left to member states which can set the age between 13 and 16 years at the maximum.”
(The Greens|European Free Alliance – EU data protection rules, Dec Tue 15, 2015)

Following some comments immediately after the agreement.

  • Věra Jourová – European Commissioner for Justice, Consumers and Gender Equality (European Commission)

“Today we deliver on the promise of the Juncker Commission to finalize data protection reform in 2015. These new pan-European rules are good for citizens and good for businesses. Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market. And harmonised data protection rules for police and criminal justice authorities will ease law enforcement cooperation between Member States based on mutual trust, contributing to the European Agenda for Security.”
(European Commission – Press release, Dec Tue 15, 2015)

  • Monika Kuschewsky – special counsel at the Brussels office of law firm Covington & Burling.

The year 2015 will go down in history as the year of data protection, not only because of these three important pieces of legislation, but in addition several landmark rulings of the Court of Justice of the EU on the EU-U.S. safe harbor arrangement and the scope of application of EU data protection law.”
(Politico, EU reaches deal on data protection rules – Tue Dec 15, 2015)

  • Emma Morris, head of international policy of the Family Online Safety Institute.

“The proposals do not take into account the reality of millions of children that have already become active users of these services. The feasibility of suspending their accounts and banning them from the platforms will be nearly impossible to implement. Vital protections offered to younger users of social media sites may be invalidated by causing children to lie about their true age.”
(Politico, EU reaches deal on data protection rules – Tue Dec 15, 2015)


Here some of the First Press Releases announcing the Agreement.

Financial Times

Under the agreed rules, companies will have to employ a data protection officer if they handle significant amounts of data, along with a host of other measures aimed at giving consumers more say over what businesses can do with personal information.
Lobbyists for US tech groups staged a last-minute push to water down proposals to ban companies from handling data from under-16s without parental consent. Negotiators agreed on a compromise, whereby member states would be able to decide on a national basis whether companies could handle data from those aged between 13 and 15.
(Financial Times, EU agrees strict new rules on data protection – Tue Dec 15, 2015)

The New York Times

The new rules were approved at a meeting of representatives from the European Commission, the executive arm of the European Union; the European Parliament; and member states. The officials had been meeting regularly since the summer to reach a compromise, though they often differed on how far Europe’s privacy rules should go in capping companies’ access to people’s online information.

Among the new policies approved on Tuesday:

Allowing national watchdogs to issue fines, potentially totaling the equivalent of hundreds of millions of dollars, if companies misuse people’s online data, including obtaining information without people’s consent.

Enshrining the so-called right to be forgotten into European law, giving people in the region the right to ask that companies remove data about them that is either no longer relevant or out of date.

Requiring companies to inform national regulators within three days of any reported data breach, a proposal that goes significantly further than what is demanded by American authorities.”
(The New York Times, Europe Approves Tough New Data Protection Rules – Tue Dec 15, 2015 )

And finally… allow me to show (what I think to be…) the first tweet announcing the agreement:

  • Axel Voss – Group of the European People’s Party

#EUdataP Trilogue on Regulation is finished, the agreed text could be better, it was impossible to reach more, a lot is not easy to handle.” (Twitter, Dec Tue 15, 2015 19:44 CET)

Next step… on Thursday extraordinary meeting of the LIBE Committee has been planned to vote the final text!

Category: Legal framework

About Biagio Lammoglia

Biagio Lammoglia is a freelancer as a Compliance & Privacy Officer since 2014. For the previous sixteen years he had been working with a retail company, first as a Technical and Infrastuctured Manager and then as a Security and Compliance Officer, providing guidance in security strategy, policies and privacy issue. He is a graduate of the University of Milan in Computer Science (formally Laurea in Scienze dell'Informazione) and member of CLUSIT (Associazione Italiana per la Sicurezza Informatica) as well as member of FederPrivacy (Federazione Italiana della Privacy).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.