At a meeting of the Justice and Home Affairs council in Brussels, ministers led by Latvia's Dzintars Rasnačs, chairing, agreed a general approach on general data protection regulation that establishes rules adapted to the digital era.
"Today we have moved a great step closer to modernised and harmonised data protection framework for the European Union. I am very content that after more than 3 years of negotiations we have finally found a compromise on the text. The new data protection regulation, adapted to the needs of the digital age, will strengthen individual rights of our citizens and ensure a high standard of protection," Rasnačs said.
However, it's far from the end of the road. A 'general approach' means that the council has a political agreement on the basis of which it can now begin negotiations with the European Parliament with a view to reaching overall agreement on new EU data protection rules. First discussions with the Parliament are planned for 24 June 2015.
"I salute the readiness of the European Parliament to start the trilogue negotiations already next week. Hopefully we will come to the final agreement rapidly so that our citizens can enjoy the benefits of the reform as soon as possible", said Rasnačs.
After that, the incoming Luxembourg Presidency will take responsibility for further progress.
Under the agreed wording, personal data must be collected and processed lawfully under strict conditions and for a legitimate purpose. Data controllers (those responsible for the processing of data) must respect specific rules, such as the requirement for unambiguous consent by the data subject (the individual whose personal data is being processed), in order to be allowed to process personal data.
To ensure improved legal redress, data subjects will be able to have any decision of their data protection authority reviewed by their national court, irrespective of the member state in which the data controller is established.
Data subjects, as well as, under certain conditions, data protection organisations can lodge a complaint with a supervisory authority or seek judicial remedy in cases where data protection rules are not respected. Furthermore, when such cases are confirmed, data controllers face fines of up to €1 million or 2% of their global annual turnover.