EU agrees data protection regime, details to follow

The new data protection rules have been under discussion for almost four years since the European Commission proposed them in January 2012. The reform aims to update rules which stem from as far back as 1995.

On Tuesday evening, MEPs and member states reached a compromise deal in a meeting behind closed doors, mediated by the European Commission.

As of Wednesday morning, the rules themselves had not yet been made public - there are only jubilant press releases from the three EU institutions.

“It is a fundamental agreement with significant consequences,” said Felix Braz, justice minister for Luxembourg, which had negotiated on behalf of the member states.

“This reform not only strengthens the rights of citizens, but also adapts the rules to the digital age for companies, whilst reducing the administrative burden,” added Braz.

EU justice commissioner Vera Jourova said the new rules are “fit for the digital age” and that there was no winner or loser.

“These new pan-European rules are good for citizens and good for businesses,” noted Jourova.

For his part, MEP Jan Phillipp Albrecht, who spoke on behalf of parliament, said the compromise was “a major step forward for consumer protection and competition.”

But much will rely on details of the rules.

For example, the commission's press release said they will give Europeans “a right to data portability: it will be easier to transfer your personal data between service providers."

But how this will work in practice is unclear.

Does it mean that all messages sent via one application, must be allowed to be transferred to another one? That may require significant technical adjustments from most digital services.

The commission also noted there would be a “clarified” right to be forgotten - the idea that personal data can be deleted when requested.

Since a 2014 ruling by the EU's Court of Justice, there has been a de facto right to be forgotten, but only for information which is accessible via search engines and is “inadequate, irrelevant."

The new rules seem to involve broader justification. According to the commission's description, “when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted."

But who will determine what “legitimate" grounds are?

Fines for Facebook?

What is clear, is that it will become more costly for companies who break EU data protection rules, also for American companies like Google and Facebook, to which the rules equally apply.

“In future, firms breaching EU data protection rules could be fined as much as 4 percent of annual turnover - for global internet companies in particular, this could amount to billions,” said Albrecht, of the Green group in parliament.

“In addition, companies will also have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers,” he noted.

The parliament's civil liberties committee will vote on the compromise on Thursday morning (17 December) in Strasbourg.

It will then need approval from the plenary of the parliament, as well as from member states. Following this, a two-year implementation period will apply, meaning it could be until early 2018 before the rules are in force.