Earlier this week, talks on the final wording of the proposed General Data Protection Regulation were opened. The discussions involve officials from the European Commission, European Parliament and Council of Ministers.
At a press conference following the first round of trilogue negotiations, EU justice commissioner Věra Jourová said that the EU law makers are "on track" to adopt the new Regulation, and a new data protection directive governing personal data processing by law enforcement agencies, before the end of 2015.
She said that, once adopted, guidelines would be developed by the Commission in partnership with DPAs to detail what provisions contain in the Regulation mean in practice "so that the Regulation goes live in an equal way" across EU countries.
"The Regulation cannot contain all the cases which might occur," Jourová said. "So [the guidelines] will be important for fine tuning and equalisation of imposing of penalties, because we are introducing quite strict penalties after we agree on them… We have a lot of work to prepare the European public and European businesses for this to be well implemented and understood."
Data protection law expert Lucy Jenkinson of Pinsent Masons, the law firm behind Out-Law.com, said the new Regulation will bring many new challenges to businesses and clarity will be welcomed on many aspects of it.
"This includes on the scope of the redefined 'personal data'; what is meant by 'unambiguous consent'; the practicalities of the detailed requirements for fair processing notices; the new obligations imposed on 'data processors'; the operation of the new 'right to be forgotten'; the mechanics of the new right to data portability; the details of any certification mechanisms envisaged in the Regulation; and the internal governance arrangements that will replace the existing requirement to notify with the Information Commissioner," Jenkinson said.
"'Precise and concrete guidelines' to be developed by the European Commission will be helpful, however they must also take into account the realities for businesses of achieving compliance," she said.
The European Parliament and Council of Ministers, both of which will have to formally vote in support of the new Regulation for it to come into force, have endorsed different approaches to the enforcement and sanctions regime that should be applied under the new framework.
MEPs want companies to face a maximum fine of up to 5% of their global annual turnover, or or €100 million if greater, should they breach the new Regulation. However, the Council has endorsed a more complex three-tiered system for fines where the severity of the penalty that DPAs could impose would depend on the nature of the non-compliant activity. The Council wants the stiffest penalties to be restricted to an upper limit of 2% of companies' annual global turnover.
A complicated enforcement regime would also be established under the new Regulation to account for cases where a business' non-compliance with the rules has an effect in a number of different EU countries.
Under plans backed by the Council, DPAs would have to collaborate with one another when assessing what action to take against companies that allegedly breach the new Regulation where those cases are of an important cross border nature. The plans envisage a role for the European Data Protection Board (EDPB), a new privacy watchdog that would be established under the Regulation to replace the existing Article 29 Working Party, in resolving disputes between DPAs on how to handle such cases.