Earlier this month, we reported the progress of trilogue discussions on the long-awaited General Data Protection Regulation (GDPR). On 15 December 2015, almost four years after the legislative proposal was originally tabled by the European Commission, the European Parliament and the Council finally reached agreement, bringing the GDPR one step closer to adoption.

The final trilogue negotiations, which were concluded 15 December 2015, saw a “strong compromise” reached between the European Council, Parliament and Commission. The GDPR will be formally adopted by the European Parliament and Council at the beginning of 2016, and organisations will then have two years to ensure that their data practices are compliant. Some headline provisions of the agreed text are:

  • Companies can be fined up to 4% of their annual turnover for data protection breaches
  • Companies based outside Europe will be subject to the regulation if they offer goods and services in Europe
  • Companies processing sensitive personal data must appoint a data protection officer
  • Companies will only have to deal with a single supervisory authority

Much of what has been confirmed is not new news; however the most surprising has been the agreement that fines of up to 4% of a company’s annual turnover may be imposed for data protection breaches. Previous trilogues indicated that fines of up to 2% of annual turnover would be imposed under the Regulation. As a silver lining, social media companies can breathe a sigh of relief, after a last-ditch attempt to raise the age of consent for children to 16 was abandoned.

The GDPR has been hailed for unifying Europe’s data protection rules, allowing individuals to regain control over their data, and cutting costs and red tape for businesses. Andrus Ansip, Vice-President for the Digital Single Market, praised the GDPR for building a “strong basis to help Europe develop innovative digital services”. Věra Jourová, the Commissioner for Justice, Consumers and Gender Equality, echoed these sentiments, stating that the GDPR sets down “clear rules that are fit for the digital age and at the same time create opportunities and encourage innovation in a European Digital Single Market”.