The EU Council and the European Parliament have officially adopted their final position on the General Data Protection Regulation (GDPR) after more than four years of negotiations. The regulation, which was approved and passed by the European Parliament on 14 April, updates and modernises the principles of the 1995 Data Protection Directive (95/46/EC), aiming to give European citizens control of their personal data and create a high, uniform level of data protection across the EU that is fit for the digital age. The GDPR will enter into force 20 days after it is published in the Official Journal of the European Union and will be directly applicable in the same way across all the Member States of the EU 2 years thereafter (in other words, in about May/June 2018).

A compromise was agreed with the European Parliament on 15 December 2015. On 8 April 2016, the Council adopted its position at first reading, which paved the way for the European Parliament’s vote in second reading at its plenary session and adoption on 14 April 2016. This has finally completed the legislative process for the GDPR.

The new rules include provisions on:

  • a right to be forgotten (which confirms the position adopted by the Court of Justice in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González);
  • “clear and affirmative consent" and “explicit” to the processing of private data by the person concerned;
  • a right to transfer your personal data to another service provider;
  • the right to know when your personal data has been hacked or a breach has occurred in relation to your personal data;
  • ensuring that privacy policies are explained in clear and understandable language; and
  • stronger enforcement and fines up to the greater of 4% (or euro 20 million) of a firm's total worldwide annual turnover, as a deterrent to breaking the rules.

Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament, has given the following statement on the final adoption: “The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European 'yes' to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share.”

Albrecht added: “The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition.”