The Directive is Dead (Almost)! Long live the GDPR!
It's here: after years and years of debate, the negotiating parties to the trilogue are reported finally to have agreed the text of the European Union's successor privacy legislation: the General Data Protection Regulation. Jan Albrecht, the German MEP leading up the European Parliament's negotiations on the GDPR, even tweeted this picture of the negotiators who struck today's deal - somehow a fitting use of social media technology, given that the key driver behind this legislative change is to bring Europe's aging data privacy rules up to date for the modern technological era.
This isn't the formal end of the legislative process though - while the text of the GDPR has been agreed by the trilogue negotiation parties (and if you're wondering what a trilogue is, see my colleague Olivier's post here), it still has yet to be formally adopted by the European Parliament and Council. This is very likely to be a rubber-stamping process taking place early in 2016 - only then will the GDPR actually become law. When it does, the countdown clock will begin ticking down to the date when the GDPR comes fully into effect - two years after its adoption (so 2018).
The agreed text has not yet been made publicly available, even though near final drafts of it have been leaked. Rest assured, Fieldfisher's Privacy, Security and Information team will be reporting as and when it is, and in the meantime, you can find excellent analyses of the changes being brought in by the GDPR in our "Getting to know the GDPR" blog series posted on this blog - in particular:
1. Getting to know the GDPR, Part 1 – You may be processing more personal information than you think
2. Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?
3. Getting to know the General Data Protection Regulation, Part 3 – If you receive personal data from a third party, you may need to “re-think” your legal justification for processing it
4. Getting to know the GDPR, Part 4 – “Souped-up” individual rights.
5. Getting to know the GDPR, Part 5: Your big data analytics and profiling activities may be seriously curtailed
In a nutshell, what can you expect? Well, the GDPR will usher in an era of greater accountability, with significantly increased transparency and controls for individuals to exercise management of their data. It will have a global effect, so that any business that collects and uses data from European citizens - whether established in the EU or not - will potentially find itself subject to EU data protection rules.
It will apply both to "controllers" and to "processors", meaning service provider businesses (think the B2B cloud) that previously had not been directly subject to EU data protection compliance requirements will find themselves caught by the new rules. And, of course, there is the headline grabbing news that non-compliant businesses risk fines of up to 4% of global turnover.
Finally, there is the good news that the patchwork quilt of 28 different EU Member States' laws, all with their own quirks and kinks, will be replaced by a single, unifying data protection law, leading (hopefully) to significantly greater data protection harmonization throughout the EU - a "win, win" for consumers and businesses alike. Data protection authorities must live up to this challenge of harmonization through the mechanics of the GDPR's 'one stop shop' and consistency mechanism.
What a journey! While there have been skeptics along the way (and I count myself among them), there's no denying that this is an achievement of simply epic proportions and one that will define the future of Europe's Digital Single Market, of data protection, and of our identities and rights as individuals, for decades to come.
For more information, see this European Commission press release here.