On Monday, the European Council approved a proposal for the new European General Data Protection Regulation. Among other things, the regulation describes the right to be forgotten and to have access to personal data. The regulation has been criticized.
Now that the justice ministers of the member states have reached an agreement, the proposal can be discussed with the European Commission and the European Parliament. The first meeting is scheduled for June 24 and the aim is to finalize the regulation before the end of this year.
Work on the privacy regulation has been in progress since 2012, when the European Commission made the first move, which received the support of the European Parliament in March 2014 after some adjustments. The European Council says it has now adopted ‘many of the fundamental pillars’ of the proposal. The ministers emphasize that companies from outside Europe must comply with one set of privacy rules for the entire EU, and those rules would better protect the privacy of residents of member states.
The proposal for the regulation describes, among other things, the right to be forgotten: companies should delete data on request if there is no longer a legitimate reason to process or retain it. However, the text includes the exception that exceptions are possible on the basis of the right to freedom of expression and the media, such as newspaper archives. Companies must demonstrate that data retention is still necessary or relevant.
The proposal also states that companies and organizations that process data are obliged to inform the privacy authority of their Member State as soon as possible in the event of a major hack, so that customers have time to take measures. In addition, the right to data portability is included: customers must be able to take their personal data with them when they switch to another provider.
The penalty clause stipulates that companies risk an amount of 2 percent of their annual turnover if the regulation is violated. In other cases, the fines can amount to a maximum of 1 million euros.
In the run-up to the adoption of the text, there was criticism from civil rights groups. Under the influence of a lobby of companies, the Council would have weakened the position of citizens. For example, EDRi believes that the text about data processing is so broad that companies can too easily rely on a legitimate interest in processing the data. Bits of Freedom also thought the text was too watered down.