In January 2012, the European Commission presented a draft personal data regulation strengthening the individual's rights and handling the challenges of globalisation and new technology. After the draft regulation was considered by the European Parliament, the European Council agreed on a general recommendation on 15 June 2015.

The recommendation includes the same elements as before by way of clearer rights for individuals, more uniform rules on personal data within the EU and a requirement that, in a number of situations, companies outside the EU must comply with the rules as well as much higher penalties.
Below, we will explain a number of the most important elements of the Council's recommendation:

Increased level of data protection

Strict requirements concerning collection and processing of personal data. Controllers must comply with special rules within some areas such as the requirement for unambiguous consent from the individual to personal data being processed for one or more specific purposes. If the personal data is sensitive, explicit consent must be obtained.

A strengthening of the rights means that the individual will get more control over his personal data through easier access to own data and more detailed information on the implications of sharing personal data as the controller must inform the individual about the controller's privacy policy in a clear and simple language. "The right to be forgotten" implies that the controller must delete personal data without undue delay in five specific situations:

1. When the personal data is no longer necessary compared to the purpose behind the processing.
2. When the individual withdraws its consent to the processing of personal data.
3. When the individual objects to the processing of personal data.
4. When the personal data has been collected illegally.
5. When prescribed by law that the personal data must be deleted.

To ensure improved litigation, individuals will get the opportunity that the national court can review a decision from a data protection authority notwithstanding in which member state the controller is established

Increased business opportunities within the digital single market

The personal data regulation applies directly to all member states and is activated when businesses and organisations process personal data on persons residing in the EU. The rules also apply to non-European businesses which have received personal data in connection with 1) supply of goods and services independent of whether payment is required or 2) supervision of EU citizens' actions if these are taken within the EU.

Uniform rules will prevent that contradicting national rules obstruct cross-border data interchange. Further, the regulation will also result in increased cooperation between the member states' data protection agencies ensuring coherent application of the rules. The objectives are fairer competition and to encourage especially small and medium businesses to exploit the digital market in the best way possible.

Also a one-stop-shop principle will be introduced relevant in cross-border cases where more data protection agencies have authority, e.g. because the personal data concerns citizens in different member states. In this situation, the data protection agency in the country where the controller is domiciled will make an aggregate decision based on a somewhat complicated cooperation procedure with the agencies in the other affected member states. The one-stop-shop principle is to reduce costs and increase legal protection.

More and improved tools to enforce compliance with the data protection rules

According to the new regulation, the controller must implement appropriate protection measures of a technical and organisational nature to ensure a protection level proportionate with the risks related to the processing of personal data.

If a security flaw results in a high risk of infringement of the registered persons' rights, the company is obligated to notify the data protection agency within 72 hours and notify the registered persons without undue delay.

The controller is free to choose whether it will appoint an internal controller, unless national law provides mandatory requirements in this respect.

Individuals may complain to the data protection agency or bring a complaint before the courts. The controller may be ordered to pay a penalty of up to EUR 1 million or 2 % of the total annual turnover.

Warranties concerning transfer of personal data within the EU

After having heard the member states and the European Parliament, the European Commission is authorised to decide whether the data protection level is sufficient in countries outside the EU. If the Commission does not make a decision, the personal data may only be transferred when warranties concerning i.a. standard terms on data protection, binding company rules and contract terms are in place. In this way, personal data transferred to countries outside the EU and to international organisations will be protected.

Further process

After the draft regulation was considered by the European Parliament, the European Council agreed on a general recommendation on 15 June 2015.

The next step towards adoption of the new data protection rules will be for the European Council to start negotiations with the European Parliament and the European Commission for the purpose of concluding an aggregate agreement concerning the regulation. The first meeting was on 24 June 2015. The European Council's agreement is a big step towards more modernised and harmonised protection of personal data within the EU.