The European Council has approved its own draft of the General Data Protection Regulation (GDPR). The next step is for the European Council, European Commission, and European Parliament to combine their various versions and agree on the same text. Talks are scheduled to commence this summer on a finalized version scheduled for December 2015. Key points from the Council draft relate to extraterritoriality, the European Data Protection Board, and notification.
The GDPR will apply to goods and services offered to, and the monitoring of, data subjects in the EU, irrespective of whether the source offering the goods or services is located in the EU. The GDPR will also create the European Data Protection Board, a significant decision making body similar to the Article 29 Working Party. Moreover, the GDPR mandates breach notifications to Supervisory Authorities and affected individuals for breaches that are likely to result in a high risk for the rights and freedoms of individuals. The Notice to affected individuals must be made “without undue delay” and the notice to Supervisory Authorities within 72 hours.