After almost four years of debate, the European Commission, Parliament and Council have finally reached political agreement on the proposed General Data Protection Regulation (the "GDPR"). The final text of the GDPR will now need to be formally approved by the European Parliament and the Council at the beginning of 2016. There will then be a two year implementation period before the GDPR comes into effect, meaning that organisations should expect the new rules to apply from sometime in 2018.
In January 2012, the European Commission put forward its proposals for a significant overhaul of the European data protection regime, in the form of the GDPR. The aim of the initial proposal was to harmonise data protection procedures and enforcement across the EU (replacing the existing Data Protection Directive 1995/46/EC), and to achieve consistency with existing systems for ensuring privacy online (such as the existing ePrivacy Directive 2002/58/EC).
However, the road to agreement has been a long one and the GDPR was reportedly the most heavily lobbied Regulation in the history of the European Parliament. Despite being initially proposed at the start of 2012, the European Parliament did not reach an initial position on the proposal until March 2014, and the Council of the European Union took a further 15 months to agree their own initial position (in June 2015). Since that time the three institutions have been holding informal "trilogue" negotiations to try to agree an overall compromise. The last of these negotiation meetings took place on Tuesday 15th December, where a "strong compromise" was reportedly agreed.
The final text of the GDPR has not yet been released. However, it has been reported that fines under the GDPR will be increased from the current maximum of £500,000 in the UK to up to 4% of global annual turnover.
The European Parliament’s Civil Liberties, Justice and Home Affairs [LIBE] Committee approved the agreement earlier today (17 December 2015). The next step will be a vote in full Parliament in the New Year. The Council will also need to formally approve the agreed position.
We will be publishing a further eBulletin on the GDPR once the final text has been released. In the meantime, please get in touch with your usual Herbert Smith Freehills contact (or one of the contacts on the right-hand side of this bulletin) if you would like to discuss the implications of the new GDPR.