After three months of legal-linguistic checks and translations, the European Union is poised to formally adopt the new EU General Data Protection Regulation (GDPR) and its sister law, the EU Policing and Criminal Justice Data Protection Directive (PCJ DPD).

Documents recently released by the Council of the EU (available here and here) suggest that the Council will vote to endorse final texts by the end of this week (Friday April 7, 2016), before passing them on for approval by the European Parliament during next week’s plenary sessions (April 11-14, 2016).

The GDPR will take effect twenty days from its post-vote publication in the Official Journal, triggering a two year transition period before its full entry into force.  At that point it will sweep away the current EU Data Protection Directive (95/46/EU), which has served as the main instrument of EU privacy law for almost two decades.

Unlike the Directive, the GDPR will for the most part have direct effect throughout the EU, without requiring implementation into national laws.  Nevertheless, the next two years are likely to see substantial further legislative and rulemaking activity at EU and national level.

The GDPR allows for substantial national deviations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance in order to comply with the new GDPR, Member States will also be working to finalize their positions on key issues such as workplace privacy, healthcare services and biomedical research.

The European Commission and a new European Data Protection Board, meanwhile, will play important roles as the source of further implementing guidance and rules, and approving certification schemes and industry codes of conduct.  Later this year, the European Commission is also expected to launch a revision of the E-Privacy Directive, which imposes additional privacy rules for telecommunications, marketing and digital services.