Privacy campaigners have dismissed the latest proposal for new pan-European data protection laws as "meaningless", saying the rules will not strengthen individuals' rights over their personal information.
The EU's Justice Council yesterday agreed on a definitive proposal for a General Data Protection Regulation that would replace the old 1995 Data Protection Directive.
The regulation would establish one set of laws across all 28 member states of the EU, and it could still be introduced by the end of 2015 if negotiations with the European Parliament and the European Council conclude in the next six months.
However, Privacy International and European Digital Rights (EDRi), an organisation representing 33 separate groups, accused the EU of watering down the legislation.
EDRi's executive director, Joe McNamee, said: "This agreement is quite simply a brazen effort to destroy Europe's world leading approach to data protection and privacy.
"The Council position is a mixture of reckless disregard for citizens' fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive."
Under the Justice Council's draft of the General Data Protection Regulation it will strengthen the right to be forgotten by forcing companies or organisations to delete an individual's data upon request, where there are no legitimate grounds for keeping it.
People will also have a right to know if their data has been hacked, with organisations required to notify their national supervisory authority as soon as possible (often within 24 hours) if they suffer a serious breach.
Meanwhile, citizens will also get more information on how their data is being processed - but not why.
But there are 48 exceptions where member states can make their own rules, Privacy International and EDRi claimed.
Additionally, companies can continue to mine people's data if they prove they have a "legitimate interest" in doing so.
"If the purpose of this reform was to strengthen people's control over their personal information and improve enforcement, our governments have achieved the exact opposite," said Anna Fielder, board chair of Privacy International.
"The Council revisions to the draft data protection regulations have done their best to disembowel some of the fundamental principles and further disempower individuals and their representatives by weakening rights."
Previously, the regulations said data processing would be kept to a minimum - but now it simply says it must be "non-excessive".
Bodies representing citizens who believe their privacy rights have been breached would no longer be able to complain to authorities or take judicial action on their behalf, the campaign groups said.
Despite this, Vra Jourov, EU Commissioner for justice, consumers and gender equality said: "Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes.
"High data protection standards will strengthen consumers' trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year."
