Today, the EU institutions reached the long-awaited political agreement on the General Data Protection Regulation (GDPR), which will fundamentally change the EU privacy landscape (for the Commission press release see here and the European Parliament press release here). Almost four years after the publication of the legislative proposal for the GDPR, the final trilogue meeting between the European Commission, the European Parliament and the EU Council of Ministers (“the Council”) led to a compromise (for more details on the process, please see our previous InsidePrivacy post on the first day of trilogue negotiations here).
Today’s political agreement requires formal validation by the European Parliament and the Council. This is not expected before February or even March of next year. At European Parliament level, the Civil Liberties, Justice and Home Affairs (LIBE) committee will vote on the GDPR this Thursday, December 17 (see the LIBE agenda here). Subsequently, the European Parliament’s plenary, which is not formally bound by the committee’s opinion, still has to approve the agreed text, possibly in February. At Council level, we understand that the text will be discussed in a Coreper (Committee of Permanent Representatives) meeting either this Friday, December 18, or Monday, December 21. Based on those discussions, the incoming Dutch Presidency of the Council, whose mandate starts in January 2016, will determine the strategy and timelines for Council ratification. The GDPR could be approved either at a Council meeting in January 2016 or, should further discussions be required, at or after the next formal Justice and Home Affairs Council Meeting on March 10-11, 2016.
A committee of experts will consolidate and finalize the text. This committee cannot, however, make any substantial changes to the politically agreed text. Following final adoption, the GDPR will also need to be translated in all the EU’s official languages. The final step – publication of the GDPR in the Official Journal of the EU, which starts a two-year transition period before the GDPR enters into force – is not expected before mid-2016, which means that the GDPR will enter into force mid-July 2018 at the earliest.