Late yesterday, 15 December 2015, in so-called 'trilogue' meetings, the European Parliament, the Luxembourg Presidency of the Council and the European Commission agreed on the wording of the new personal data regulation - and a directive on data protection for police and criminal authorities (covered by the Danish opt-out) - entitled the "data protection package".

The wording of the final personal data regulation is yet to be published. The formal adoption procedure will take place at the end of 2015/the beginning of 2016. Therefore, the following is based on previous drafts of the personal data regulation and minutes of the final negotiations.


The personal data regulation will entail significant changes in the area of personal data protection compared to the existing directive from 1995. The purpose of the new rules is mainly for persons to regain control of their own data and for uniform rules to apply throughout the EU with a consequent relief for companies, which, however, is counterbalanced by increased penalties for violation of the rules. In addition, the personal data regulation is to support the digital single market and attempts have therefore been made to adapt it to the modern-day digital world.

Here are some of the most important consequences of the new personal data regulation:

  • Increased information to persons about why and how their personal data are processed - and which rights they are given under the personal data regulation.
  • The rules as to how old children must be to consent to processing of their own personal data are changed. This indicates that the Member States are free to decide whether children must be between 13 and 16 years old. This is expected to have significant impact on children's use of social media and will be difficult to handle in practice for companies operating across borders.
  • The penalty level will be significantly increased. This indicates that the penalty level will be up to four percent of companies' global yearly turnover and for others up to EUR 20 million.
  • The "right to be forgotten" will extend the current rules on deletion of data so that it will be easier to demand deletion of own data at e.g. companies.
  • The right to data portability (i.e. transfer of personal data from one service provider to another) will make it possible to have data removed from social media etc.
  • Breach of data security must be reported to the Data Protection Agency and to the persons whose data have been compromised.
  • Risk-based access to security etc.
  • Abolition of reporting schemes.
  • The rules will facilitate the use of Big Data, e.g. via pseudonomysation.
  • Everything seems to indicate that the role as Data Protection Officer in companies and public authorities will be made mandatory to some extent.
  • Everything also seems to indicate a common responsibility for the data controller and the data processor for violations of the personal data regulation.
  • Attempts have been made to cut red tape for small and medium-sized enterprises.
  • The rules prepare the ground for improved cooperation between the European data protection authorities.
  • In a number of provisions, it has been left to the individual Member States to decide how the rules are to be worded. This must be assumed to result in a non-uniform state of the law in certain areas in the individual Member States. The rules will thereby be more difficult to handle for especially international companies.

We will keep you updated on the development, including how the rules will be incorporated in Denmark and on a European level.