Following a vote today, Thursday 14 April 2016, at a plenary session of the European Parliament, the final text of the General Data Protection Regulation ("GDPR") was formally adopted by the European Parliament.
On 6 April 2016 the Council of the European Union released an updated version of the final text of the GDPR, which was approved today by the European Parliament. Click here to read the full text. This means the text is now formally adopted and this represents the final stage in the long legislative journey since the first draft was published by the European Commission in January 2012. Click here to read the European Parliament’s Press Release.
The final text of the GDPR follows three months of legal-linguistic checks and translations of the text first approved by the EU Parliament's LIBE Committee and published on 15 December 2015 (click here to view our alert on this). Any amendments to this latest version have primarily been made to clarify certain drafting points and numbering rather than introducing any substantive changes. Once the translations into all of the official languages of the European Union have been finalised, the GDPR will be published in the Official Journal of the European Union ("OJEU").
The GDPR will become law twenty days after it is published in the OJEU, and its provisions will become applicable exactly two years after this date (i.e. mid-2018).
The GDPR represents a radical overhaul of Europe's data protection laws and will replace the existing Directive (95/46/EU) and all national implementing laws, including the UK Data Protection Act 1998. The GDPR will have direct effect in Member States, without the need for implementation in full through separate national laws. That said, it is expected that some national implementing legislation will be required relating to certain key areas including provisions regarding processing required to safeguard national security and other important economic or financial interests of that Member State, such as monetary, budgetary and taxation matters, public health and social security.
Over the next two years, companies will need to prepare to ensure that their organisations will comply with the greatly enhanced requirements of the GDPR when it comes into force in 2018. Member State data protection authorities, as well as the Article 29 Working Party and the European Data Protection Supervisor will be issuing further guidelines and opinions during this implementation stage to assist companies with their preparations.