By Phil Bradley-Schmieg and Vera Coughlan.  This post has been updated to include links to the final texts and comparisons with preceding drafts.

After three months of legal-linguistic checks and translations, the EU is poised to formally adopt the new EU General Data Protection Regulation (GDPR) and its sister law, the EU Policing and Criminal Justice Data Protection Directive (PCJ DPD).

The new and likely final texts for approval were released late on Wednesday, April 6; the GDPR text can be found here, whilst the final text of the PCJ DPD can be found here. We have also published automated comparisons here and here, for the GDPR and PCJ DPD respectively.

Documents recently released by the Council of the EU (available here and here) suggest that the Council will vote to endorse these final texts by the end of this week (Friday April 7, 2016), before passing them on for approval by the European Parliament during next week’s plenary sessions (April 11-14, 2016).  

As previewed on InsidePrivacy here, the GDPR will take effect twenty days from its post-vote publication in the Official Journal, triggering a two year transition period before its full entry into force.  At that point, it will sweep away the current EU Data Protection Directive (95/46/EU), which has served as the main instrument of EU privacy law for almost two decades.

Unlike the Directive, the GDPR will for the most part have direct effect throughout the EU, without requiring implementation into national laws.  Nevertheless, the next two years are likely to see substantial further legislative and rulemaking activity at EU and national level.

The GDPR allows for substantial national deviations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance in order to comply with the new GDPR, Member States will also be working to finalize their positions on key issues such as workplace privacy, healthcare services and biomedical research.

The European Commission and a new European Data Protection Board, meanwhile, will play important roles as the source of further implementing guidance and rules, and approving certification schemes and industry codes of conduct.  Later this year, the European Commission is also expected to launch a revision of the E-Privacy Directive, which imposes additional privacy rules for telecommunications, marketing and digital services.

Photo of Phil Bradley-Schmieg Phil Bradley-Schmieg

Philippe Bradley-Schmieg’s practice covers a range of commercial, regulatory and intellectual property matters affecting the IT, e-health, internet media and telecoms sectors, often with a multi-jurisdictional scope.  He advises on intellectual property, compliance and policy matters such as online consumer rights, liability for…

Philippe Bradley-Schmieg’s practice covers a range of commercial, regulatory and intellectual property matters affecting the IT, e-health, internet media and telecoms sectors, often with a multi-jurisdictional scope.  He advises on intellectual property, compliance and policy matters such as online consumer rights, liability for third party content, patent, copyright and database right licensing, privacy and data protection, medical confidentiality, cybersecurity, data breach responses, and law enforcement data disclosure.  Mr. Bradley-Schmieg advises on UK, EU and international law, and has worked in London and Brussels.