Trilogue negotiations on the General Data Protection Regulation (GDPR) were completed on Tuesday 15 December 2015.

Some Key Provisions

  • The GDPR establishes a single set of rules applying across the EU.
  • Companies based outside Europe will have to comply with those rules when offering services in the EU.
  • Fines of up to €20 million or 4% of annual worldwide turnover may be imposed for a breach.
  • A clarified right to be forgotten is introduced. • If relied upon, consent is required to be “unambiguous”.
  • There will be an obligation on many companies to appoint a data protection officer.

One provision that received a lot of last-minute interest – increasing the age at which children would need parental consent for use of social media from 13 to 16 – has not been agreed and will not be included in the final regulation. Instead this will remain a decision for individual member states.

Next Steps

The final text of the GDPR will be confirmed after the Civil Liberties Committee votes on the provisions. This vote is scheduled for 17 December 2015.

The European Parliament will vote on the text in the New Year, after which there will be a two-year implementation period before it takes effect.

Also agreed is the Directive for Data Protection for the Police and Criminal Justice Sector.

The agreed text of the GDPR can be found here and the text of the Directive is available here