After almost four years of negotiations, it has (almost) been adopted: The new EU General Data Protection Regulation. It is supposed to bring about uniform data protection regulations in all EU counties as from 2018 as well as more citizens' rights and more obligations for companies.

On 15 December 2015, the EU Commission, the European Parliament and the Council of Europe agreed on a uniform wording for the General Data Protection Regulation. The text is currently consolidated and is supposed to be adopted in the first quarter of 2016. It is planned that the Regulation shall become effective in 2018 and shall then replace the national data protection laws as directly applicable law. Some matters can, however, still be regulated on a national level, in particular matters relating to employee data protection and the DPO function/institution.

Important aspects of the General Regulation are the "right of a user to be forgotten" (right to the deletion of user data) and the right to data portability (this will be particularly relevant for software providers). If companies violate any provisions of the Regulation in the future, this can be punished with a fine of up to 4% of the (worldwide!) annual turnover.

The Federal Commissioner for Data Protection and Freedom of Information, Andrea Voßhoff, praised the agreement to be a milestone for the European citizens and companies operating in Europe. The CEO of Bitkom, Dr. Bernhard Rohleder, is, however, not convinced and points out that this involves considerable efforts for the companies. He fears that, with the Regulation, a "bureaucratic monster" is created that prevents new companies from gaining a foothold in the market.