After nearly four years of intense negotiations, EU institutions have finally closed the deal on the General Data Protection Regulation (GDPR), which was introduced by the EU Commission on January 25, 2012 as part of its data protection package.
The EU Parliament approved the GDPR in its plenary session on April 14, 2016 in the regulation’s second reading. This was the final and highly anticipated step in the GDPR’s bumpy adoption process, a few days after the Council voted on the GDPR in its first reading on April 8, 2016. There were no substantive deviations by the Council from the version unofficially agreed to on December 15, 2015 at the last trilogue meeting. But it took a lot of effort to get there, and the GDPR will certainly be remembered as one of the more debated pieces of legislation in the EU’s legislative history.
There is no final official release of the instrument yet, but the expectation is that it will be published in the EU’s Official Journal (OJ) in May 2016. For now, the reference document is the version voted on by the Council. The GDPR will enter into force 20 days after its publication in the OJ, and become fully applicable two years after that date. This means companies have until May 2018 to reach compliance.
Click here to read the full client alert.