The EU Institutions have Agreed upon a General Data Protection Regulation

Many business and website operators in the EU and around the globe will need to construct new privacy bridges soon. Unlike the EU’s Data Protection Direction 95/46/EC that was adopted in 1995 , the new GDPR will have direct applicability. This means it will not need to be transposed into the national law of the EU member states before it becomes binding under their national laws. However, the effective date of the GDPR will not arise until two years after its forthcoming publication by the EU in the Official Journal.

The new GDPR may, however, have an earlier influence on the way that the Data Protection Authorities (DPAs) in the EU nations regulate or forebear from regulating related practices. The GDPR identifies certain mechanisms that legitimize transfers or personal data to third countries outside the EU. The GDPR (as reflected in the most recent draft below, of December 2015) promises to narrow most of the differences among EU member states in their interpretations of the safeguards that apply to personal information and certain sanctions.

The harmonization efforts are still incomplete, however, since the EU’s new regime for data protection will complement the GDPR with another new directive. The proposal for a directive concerns the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and the free movement of such data, which is intended to replace the 2008 Data Protection Framework Decision (former third pillar).


Alternatively, you may review the recent version of the GDPR in .pdf, which resulted from the trilogue at this link, via the WSJ servers.