An easy way of publishing your relevant EU press releases.

EU Data Protection package is an improvement, but work needed to ensure it does not harm small businesses


17 Dec 2015



The new data protection legislation will be put to a vote today in the European Parliament's Civil Liberties committee. Timothy Kirkhope, the European Conservatives and Reformists Group lead negotiator on the package, will support the agreement on the regulation and the directive, but now believes the European Commission has some work ahead to ensure business is clear on its rights and responsibilities under the new regime.

Mr Kirkhope said:

"The key to whether this legislation succeeds or fails will be how the European Commission implements it. If the commission can make sure that businesses have a clear understanding of how the principles affect them, and the actions they must take, then it can have a positive effect.

"What has come out of the process is a significant improvement on previous proposals, with a more reasonable approach to fines and protection for medical and scientific research. The regulation takes more of a risk-based approach and we were also pleased to be able to ensure countries that want lower ages for parental consent on social media have been accommodated. 

"The big multinationals have vast compliance departments for unravelling what this law means for them. Now we need for the European Commission to be clear in how it implements the law so that smaller businesses are clear on how this law will affect them, and how they can prepare for it.

"If the European Commission implements this law correctly then it should bring real benefits to how people can take control over their data. If they mishandle the implementation, it will become a burden for businesses."



Key aspects of the regulation are:


The text removes the vague concept that 'unambiguous consent' is needed for processing data, replacing it with 'consent' that can take the form of any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by written, electronic, or oral statement, or if required by specific circumstances, by any other clear, affirmative or unambiguous action by the data subject. This could include ticking a box (not pre ticked boxes), or any other statement or conduct which indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence will not constitute consent. Processing sensitive data such as ethnic or racial origin or political opinion will be dealt with separately.  

Consent for children

The rules will require parental consent for processing personal data for under 16s, but if national law applies that age can be lowered to 13. In some countries the 16 year old age of consent will lower the age, whilst other countries with lower ages can continue to apply them.

Right to rectification

Data subjects shall have the right to obtain from the controller without undue delay the rectification of personal data concerning him or her which are inaccurate.

Data breaches

Data breaches will have to be notified to the supervisory authority within 72 hours and where such a breach is likely to result in a high risk for the rights and freedoms of individuals, they should be notified without delay.

Data protection officer

Bodies that systematically monitor and process data on a large scale will be required to appoint a data protection officer.


There will be a two tier system for higher and lower data breaches.

The lower level maximum fine would include 2% of the previous year's worldwide turnover for a company, or a maximum fine of 10, 000, 000 Euros. The higher level maximum fine would be 4% of the previous year's worldwide turnover for a company, or a maximum fine of 20, 000, 000 Euros. Supervisory authorities will take into account the nature, gravity and duration of the infringement before deciding what fine to levy, and lower, more proportionate punishments are possible for minor infringements.

Medical and scientific research and historical records

Medical research, scientific research and historical and statistical data are dealt with separately, when used in the public, scientific or historical interest. It is appropriate to safeguards to ensure data minimisation and to look at other ways of protecting data such as pseudonymisation. Specific national derogations can be applied to ensure public interest around research.


Contact: ECR Press Office, James Holtum on +32 473

The ECR was created to take the EU in a new direction, according to the principles of our founding Prague Declaration.

For more information on the ECR, watch our promotional video at or visit our website:


University of Lorraine
European Policy Officers
Glass for Europe
Intern in Communication
EFIEES - European Federation for Intelligent Energy Efficiency Services
Communications Intern
The Federation of European Securities Exchanges (FESE)
Policy and Data Analyst
EAIC - European Association of Innovation Consultants
Secretary General