On June 15, 2015, the Ministers of Justice of all 28 European Union member states, sitting as the Council of the EU (Council), reached a crucial agreement for the future EU data protection legal framework. Much work still needs to be completed, but this is a major step forward in the adoption of the EU General Data Protection Regulation (Draft Regulation).

The Draft Regulation was originally based on a proposal issued by the European Commission in 2012, and the European Parliament approved its own version in 2014. Now that the Council has also adopted its version (known as a "common position"), the EU institutions are ready to enter the final stage of the legislative process. Known as the "Trilogue," this is a negotiation between representatives of the Council, the European Commission, and the European Parliament, in which the three institutions will attempt to reach an agreement on the final text of the regulation. The first Trilogue meeting is scheduled to take place on June 24, 2015, with the aim of reaching an agreement by the end of 2015.

The Draft Regulation introduces important changes to EU data protection law that will have a significant impact on companies doing business in the EU. While the timing of final approval is still unknown, the fact that the Council has reached a common position significantly increases the chances that the final text of the Draft Regulation will be adopted in the foreseeable future. This update clarifies where things currently stand, examines how EU data protection law is likely to change in the near future, and details some next steps.

The Council's Common Position

Below is a summary of some of the main issues addressed in the Council's common position:

1. Extraterritorial Effect. The Council agrees that the scope of the regulation should extend outside the EU to non-EU controllers that offer goods or services to, or monitor the behavior of, individuals in the EU. As a result, EU data protection law will have a broader application to the online activities of non-EU companies.
2. One-Stop Shop. The European Commission's proposal introduced a new system of centralized data protection enforcement in the EU, under which the Data Protection Authority (DPA) of the EU member state where a company has its main establishment would oversee compliance with data protection law throughout the EU (known as the "one-stop shop"). The Council has weakened the one-stop shop by, among other things, giving the DPAs of all member states concerned the right to intervene in the decision-making process. For companies doing business in multiple EU member states, this is a setback compared to the European Commission's proposal.
3. Purpose Limitation Principle. The commission's proposal restricted the processing of personal data for purposes different from those for which the data was originally collected, but the Council common position would allow the processing of personal data for a new incompatible purpose based on the legitimate interest of the data controller. While this provision adds considerable flexibility to the framework, it is doubtful that it will be retained in the final version of the Draft Regulation, as many countries have expressed reservations about the provision.
4. Right to Be Forgotten. The common position endorses the so-called "right to be forgotten," which was provided for in the European Commission's original proposal and affirmed by the Court of Justice of the EU in its well-known Costeja decision in 2014.
5. International Data Transfers. As is already the case, the regulation will restrict companies from transferring personal data outside the EU unless the country involved provides "adequate protection." The Council's text generally endorses the rules on international data transfers proposed by the European Commission, but does improve the situation somewhat by providing a firm legal basis for the use of internal company codes ("Binding Corporate Rules" or BCRs). The Council's text does not explicitly deal with the EU-U.S. Safe Harbor Framework. The Safe Harbor would remain valid until amended or replaced.  However, the text does indirectly intend to regulate self-regulatory frameworks, such as the Safe Harbor, by adding (stricter) criteria that the European Commission should take into account when assessing whether a country (or a sector within a country) provides an adequate level of data protection in the future.
6. Data Protection Officers. The common position would leave it to national law to require that companies appoint internal data protection officers (DPOs). This approach risks creating a fragmented legal framework around the EU. Companies could face different legal thresholds and requirements for the appointment of DPOs in the EU, which, in practice, is highly burdensome and could undermine the status of DPOs.
7. Breach Notification. The European Commission's proposal introduced a new obligation to notify DPAs and affected individuals of data security breaches. The Council requires notification to DPAs within 72 hours after having become aware of a breach, and notification to affected individuals without undue delay. However, the Council only requires notification for breaches that are likely to result in high-risk to the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to the reputation, loss of confidentiality of data protected by professional secrecy, or any other significant economic or social disadvantage
8. Sanctions and Fines. The European Commission's proposal provided for administrative fines for data protection violations of up to two percent of a company's annual worldwide turnover or up to €1 million (whichever is greater). The European Parliament increased the level of fines to up to €100 million, or up to five percent of a company's annual worldwide turnover, but the Council returns to the maximum fine provided in the commission's proposal.

Next Steps

While there is broad agreement between the three EU institutions on some key principles, the exact wording of the final text of the General Data Protection Regulation still remains unclear and will be the result of political bargaining between the three EU institutions via the Trilogue meetings. Unfortunately, the Trilogue process is not at all transparent, and it is impossible to know with certainty how it will transpire. We do know that the European Commission, Council, and European Parliament aim to reach a compromise sometime between the end of 2015 and the spring of 2016. Since the Draft Regulation is to enter into force two years after its adoption, this suggests that it could start to apply anywhere from late 2017 through spring 2018.

While the timing remains uncertain, adoption of the common position shows that the Draft Regulation is on track for adoption, and that its core principles will become law. Companies doing business in the EU, or otherwise monitoring EU individuals, should start planning now for the new EU data protection framework and assessing how these new core principles will affect their business.