The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and will regulate the processing of personal data inside the EU and of EU residents. The GDPR is regarded as the most significant change to the European data protection regime in over 20 years and it has been speculated that it is the most lobbied-about piece of EU legislation to date. That said, the GDPR builds upon many of the existing data protection principles under the current laws.
The GDPR is expected to increase data protection standards globally as its remit expands beyond the EU, in particular to non-EU organisations which offer goods or services to EU residents or monitor their behaviour, even where that processing of personal data does not take place in the EU. As a result, those non-EU organisations will also be required to comply with the GDPR. With the impending due date of the GDPR in less than one year, we are now seeing many of our clients implementing the changes required to comply with the GDPR’s standards. In addition, the Office of the Data Protection Commissioner has increased its GDPR awareness campaigns.
As a Regulation (which has direct effect under Member States’ laws), the GDPR will replace both EU and national data protection legislation. In Ireland, the GDPR will replace the 1995 Data Protective Directive (Directive 95/46/EC), which is the EU Directive on which the current Irish data protection legislation, the Data Protection Acts 1988 and 2003 (as amended), is based.
Since the 1995 Data Protection Directive was introduced, there have been significant advances in technology and the uses that organisations can make of personal data has become increasingly sophisticated. It also became apparent that there are differences between Member States in terms of how they have implemented the 1995 Data Protection Directive, which has caused compliance difficulties for organisations that operated in a number of different EU jurisdictions. For these reasons, it was decided at an EU level that data protection law reform was needed to make Europe fit for the digital age, strengthen citizens’ rights in the digital age and also to eliminate the current fragmentation in implementation between Member States.
After four years of negotiations, the European Parliament adopted the final text of the GDPR on 14 April 2016. We have set out a brief timeline of the main events leading up to the GDPR’s adoption.
- 25 January 2012; The European Commission published the first draft of the GDPR.
- 12 March 2014; The European Parliament adopted a number of proposed amendments to the European Commission’s draft text of the GDPR.
- 16 December 2015; the European Council published the final text of the GDPR on the 16 December 2015.
- 8 April 2016; The European Council adopted the final text of the GDPR.
- 14 April 2016; The European Parliament voted to adopt the final text of the GDPR.
- 27 April 2016; The European Parliament signed the final text of the GDPR.
- 4 May 2016; The GDPR was published in the Official Journal of the European Union and will apply after a two year implementation period from twenty days after its publication in the Official Journal (i.e. 25 May 2018).
While the GDPR is aimed at harmonising the data protection framework throughout the EU, full and complete harmonisation will not been achieved by the GDPR. In this regard, the GDPR gives scope to Member States to introduce their own data protection requirements in certain circumstances and it also gives the European Commission the power to make delegated acts. In Ireland, the Department of Justice and Equality recently published the General Scheme of the Data Protection Bill 2017 (General Scheme) on 12 May 2017. The General Scheme essentially gives us a summary of the main provisions that are likely to be included in the Data Protection Bill. The Data Protection Bill will give effect to, and provide for derogations from, the GDPR when it is enacted. Interestingly, the digital age of consent for online services in Ireland was left blank in the General Scheme but recent reports indicate that the Cabinet has set it at thirteen. It is expected that there will be changes before the Data Protection Bill is enacted and it should be noted that the General Scheme is very much in draft form at this time.