By Phil Bradley-Schmieg and Vera Coughlan. This post has been updated to include links to the final texts and comparisons with preceding drafts.
After three months of legal-linguistic checks and translations, the EU is poised to formally adopt the new EU General Data Protection Regulation (GDPR) and its sister law, the EU Policing and Criminal Justice Data Protection Directive (PCJ DPD).
The new and likely final texts for approval were released late on Wednesday, April 6; the GDPR text can be found here, whilst the final text of the PCJ DPD can be found here. We have also published automated comparisons here and here, for the GDPR and PCJ DPD respectively.
Documents recently released by the Council of the EU (available here and here) suggest that the Council will vote to endorse these final texts by the end of this week (Friday April 7, 2016), before passing them on for approval by the European Parliament during next week’s plenary sessions (April 11-14, 2016).
As previewed on InsidePrivacy here, the GDPR will take effect twenty days from its post-vote publication in the Official Journal, triggering a two year transition period before its full entry into force. At that point, it will sweep away the current EU Data Protection Directive (95/46/EU), which has served as the main instrument of EU privacy law for almost two decades.
Unlike the Directive, the GDPR will for the most part have direct effect throughout the EU, without requiring implementation into national laws. Nevertheless, the next two years are likely to see substantial further legislative and rulemaking activity at EU and national level.
The GDPR allows for substantial national deviations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance in order to comply with the new GDPR, Member States will also be working to finalize their positions on key issues such as workplace privacy, healthcare services and biomedical research.
The European Commission and a new European Data Protection Board, meanwhile, will play important roles as the source of further implementing guidance and rules, and approving certification schemes and industry codes of conduct. Later this year, the European Commission is also expected to launch a revision of the E-Privacy Directive, which imposes additional privacy rules for telecommunications, marketing and digital services.