EU data protection framework has finally been agreed

After over three years of discussion at many levels, the new EU data protection
framework has finally been agreed. It takes the form of a Regulation – the General Data
Protection Regulation. The GDPR will replace the current Directive and will be directly
applicable in all Member States without the need for implementing national legislation.
It will not come into force immediately (this is likely to be in the first half of 2018).
However, as it contains some onerous obligations, it will have an immediate impact.

Political agreement has been reached through trilogue discussions between the European Commission, the Parliament and the Council in a timeframe that has come as a surprise to many. Each institution had previously published its own form of the text, a process which took years, and there were some significant differences in approach. However, they have clearly been working hard to reach agreement over the last few months. Their agreement marks a milestone in data protection laws in the EU.

Ever since the European Commission first proposed its text back in 2012, this legislation has attracted a huge amount of attention. It even appears to have been influencing decisions by the Court of Justice of the EU as they have tried to interpret EU law in an environment where many corporations had already started to operate under the expected new regime. This response was hardly surprising. Organisations across the EU and beyond have been frustrated by the increasing lack or harmonisation across the Member States, despite data flowing increasingly without boundaries. There has been a growing desire to get the GDPR agreed quickly, even if this means that some of the detail has been left for later. The EU institutions have certainly stepped up to the plate.