Artenauta - Fotolia

Stronger rules on data protection by EU institutions agreed

On the eve of the GDPR compliance deadline, European politicians agree new rules to strengthen data protection in EU organisations

Negotiators representing the European Parliament and Council have agreed new rules for data protection in European Union (EU) institutions, bodies, offices and agencies.

The informally agreed rules are aimed at bringing existing rules that date from 2001 into line with the General Data Protection Regulation (GDPR) and the proposed e-privacy rules to uphold citizens’ rights to personal data protection.

The GDPR leaves room for implementation of its provisions in certain areas by member states. A specific regulation is needed for EU institutions to play a role comparable to a national law implementing the GDPR.

The new rules will “ensure a strong and coherent framework for data processing”, the European Parliament said in a statement.

In a break with the past, the rules will also apply to judicial cooperation agency Eurojust once the reform of the agency is agreed by the Parliament and the Council.

Negotiators recommended that the rules should be extended to policing agency Europol and the European Public Prosecutor’s Office in 2022 after a review by the Commission.

The negotiators agreed to strengthen the role of the European Data Protection Supervisor (EDPS), the independent supervisory authority that ensures the application of the rules across all EU institutions and bodies. The EDPS will also be able to fine EU institutions or bodies that do not live up to the data protection rules.

Cornelia Ernst, rapporteur for the Civil Liberties Committee, said: “This regulation will make sure the EU institutions have to live up to the same standards in data protection as everybody else in the EU.

Read more about EU cyber security

“This will include Eurojust and, in the near future, Europol and the European Public Prosecutor. This is important, because these agencies process a lot of very sensitive data and data protection is most relevant particularly in the framework of law enforcement.”

The agreed text must now be formally approved by the Civil Liberties Committee, the European Parliament as a whole and the Council of the EU before coming into force.

The new rules will take effect 20 days after their publication and will be applicable immediately.

Read more on Privacy and data protection