New EU data protection rules (finally!) agreed

On the 17th of December, and after much negotiation, a final draft of the new General Data Protection Regulation (GDPR) was approved by the Civil Liberties, Justice and Home Affairs (LIBE) committee of the European Parliament.

The GDPR will replace the various fragmented privacy rules for EU member states, and will impose stricter EU-wide obligations on those processing personal data.  

The agreed draft imposes new obligations on both data controllers and data processors, and enshrines various new rights for data subjects.  

Compromises were finally agreed on the most contentious points, including setting the penalty for serious breaches of the data rules at up to 4% of a company's annual turnover or EUR 20,000,000, whichever is higher.  A last minute attempt to require parental consents for all under-16s signing up to 'information society services' was rejected.  Instead it will be left up to individual member states to set the limit for parental consent for such personal data use, somewhere between 13 and 16 years of age.  

What's next?  

The legislation must be formally adopted by EU governments and the European Parliament.  This is likely to happen in January or February of 2016.  The GDPR will then come into force in 2018. 

See here for more information: http://europa.eu/rapid/press-release_IP-15-6321_en.htm