Values and rights, rule of law, security

26.1) Implementing in full the existing data privacy legislation and reviewing it to evaluate, if necessary, the establishment of stronger enforcement mechanisms for entities processing personal data, currently under competence of independent national data protection authorities respecting the principle of subsidiarity. Such entities should be sanctioned in a stricter way than in the current implementation of the regulation, in proportion to their annual turnover (up to 4%), also possibly through a ban on their activities, and be subject to annual independent audit.

26.2) Giving more effect to the principle of privacy by design and default, e.g. by evaluating and introducing easily understandable, concise and user-friendly harmonised data processing consent forms that clearly indicate what is necessary and what not.Users must be able to give or withdraw their consent to data processing in an easy, fast and permanent manner;

26.3) Evaluating and introducing clearer and more protective rules about the processing of minors' data, possibly in the EU GDPR, including through the creation of a special category for sensitive minors' data and the harmonization of age consent threshold within the EU Member States. While the bulk of privacy rules implementation and awareness raising should remain within Member States' remit, including through higher investment and further resources at national level, the EU should also have stronger role e.g. by creating EU competences on civic education concerning data protection;

There are currently no implementing initiatives that address this particular CoFE measure.

26.4) Better enforcing eligibility criteria for theEuropean and national Data Protection Authorities, in terms of qualifications and suitability, to ensure the highest level of independence of their members.


There are currently no implementing initiatives that address this particular CoFE measure.