The 261-page final draft of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC (Directive), was formally approved by the EU Parliament on April 14, 2016. The document is expected to be published in the Official Journal of the European Union (EU) in June, and to enter into force 20 days thereafter. The GDPR will apply, and enforcement will commence, two years from the date of entry into force, i.e., approximately in early July 2018. The repeal of the Directive will take effect as of the date when the GDPR begins to apply.
The GDPR is not just an update of a 20-year old directive that was designed at the dawn of the Internet era, and that was based on privacy principles published by the Organization for Economic Co-operation and Development (OECD) in the early 1980s. The approval of the GDPR is a significant development in the shaping of the law of privacy and data protection in the European Union as a cohesive, homogeneous whole, where one single law becomes the primary vehicle to govern the activities of very diverse countries in a particular domain.
It is time for companies that fall within the scope of the new GDPR to start preparing for the transition. This GT Alert focuses primarily on the obligations faced by companies whose principal business establishment is located outside the EU and the European Economic Area (EEA).