Officials from the European Parliament, Council of Ministers and European Commission met in Brussels to begin work on finalising the wording of the General Data Protection Regulation. The Regulation, if agreed upon, would introduce a new single data protection law for the whole EU that will apply to all businesses processing personal data of EU citizens regardless of where they are based in the world.
Separately, the law makers have been considering a new Directive that would govern personal data processing by law enforcement bodies and other agencies in criminal cases.
The Commission's original proposals for data protection reform have been heavily scrutinised by law makers in both the Parliament and Council since they were published in January 2012. MEPs endorsed their own version of the Regulation last year and the broad consensus was reached by the Council on an alternative draft Regulation earlier this month, paving the way for the trilogue negotiations to begin.
However, major differences exist between the proposals and the Parliament and Council must both vote to approve the wording of the reforms before the new laws can be introduced.
The differences include divisions between the Parliament and Council over the standard of consent that organisations should be required to obtain from people if seeking to rely on consent as a legal basis for processing personal data. MEPs backed rules which require 'explicit' consent to be obtained, whereas the Council's draft specifies the need for 'unambiguous' consent to personal data processing.
Consensus will also need to be reached on issues such as how enforcement of data protection will be handled in cross-border cases, whilst the sanctions regime will also need to be agreed upon. MEPs want data protection authorities to be able to fine companies up to 5% of their annual global turnover. However, the Council wants to place a 2% turnover limit on possible fines.
The new Regulation will also bring in new requirements on the notification of data breaches, force companies to carry out data protection impact assessments before launching certain new products and services, and could alter the balance in liabilities that currently exists between data controllers and processors.
Political leaders in Europe previously committed to finalising reforms to the EU's data protection law framework "by 2015". The new Regulation is unlikely to take effect until late 2017 or early 2018.