The European Parliament has voted on the General Data Protection Regulation (the "GDPR"). The vote marks the end of a four-year legislative process and makes the GDPR a reality.
On Thursday, 14 April 2016, the European Parliament voted to adopt the draft text of the GDPR. The vote completed the legislative process for adoption of the GDPR. This latest development follows the compromise agreed between the Council and the European Parliament in December 2015 and, more recently, a vote by the Council of the EU under an expedited written procedure and a vote by the Parliament's Civil Liberties, Justice and Home Affairs Committee, which has been influential in the development of the GDPR.
The GDPR will now be published in the Official Journal of the European Union by the Secretaries-General of the Parliament and of the Council. 20 days after publication, the GDPR will come into force (i.e., likely in May 2016). However, organisations will not be subject to enforcement under the GDPR at that stage. Instead, there will be a two-year grace period, after which the GDPR's provisions will become enforceable (i.e., likely in May 2018).
During this period, the existing collection of national data protection laws, based on EU Directive 95/46/EC, will continue to apply. However, organisations will need to use the two-year window wisely. It is important for organisations to allocate sufficient time and resources to ensure that they are compliant with the GDPR by May 2018. Failure to meet this deadline may result in enforcement action under the GDPR, including possible fines up to the greater of €20 million or 4% of annual global turnover. France is already in the process of introducing legislation to implement fines at these levels immediately, rather than waiting for the GDPR to become enforceable. It is not yet clear whether other Member States will follow suit.
The European Parliament's adoption of the GDPR marks the end of a long journey. The first draft of the GDPR, setting out a comprehensive reform package of the EU's data protection rules, was published by the European Commission in January 2012. It has since been through numerous rounds of revisions, committees and votes, which have taken significantly longer than many commentators originally anticipated.
In parallel to the GDPR, the EU has also been in the process of agreeing a new Police and Criminal Justice Directive, which will govern the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences, and related judicial activities. The UK has effectively opted out of this Directive, meaning that the processing of personal data for policing and criminal justice purposes in the UK may be governed by a different set of rules from the rest of the EU. The practical impact of the UK's decision on this issue remains to be seen.
Once the GDPR comes into force, two further key developments are expected. First, EU Data Protection Authorities will, individually and collectively, begin to issue guidance on the application and interpretation of the GDPR, with the aim of helping organisations to achieve compliance with the requirements of the GDPR. This guidance is expected to offer detail on certain issues in the GDPR that are not totally clear from the current text (e.g., several of the new data transfer mechanisms set out in the GDPR require significant further explanation before they can be used in practice).
Second, the European Commission is expected to begin a process of revising Directive 2002/58/EC (the "ePrivacy Directive"). The potential for overlap between the GDPR and the ePrivacy Directive has been the subject of much discussion in recent months. For example, that overlap could result in controllers that suffer a data breach being obliged to report that same breach twice – once under the GDPR and once under the ePrivacy Directive. It is hoped that the Commission's efforts will resolve these issues before enforcement of the GDPR begins.