On December 12, in a development that some expected and others hoped would never come, the European Commission, the European Parliament and the Council successfully concluded their trilogue discussions by announcing agreement on the final text of the General Data Protection Regulation. The agreement comes six years after the Commission held its first stakeholder consultation and four years after it released a proposed text. In spite of intense lobbying and opposition by some business groups and member states, the original text survived largely intact, with mostly minor and subtle changes and some significant strengthening, as in the higher maximum fines for violations. Formalities of official approval by the Parliament and the Council remain, but these are expected early in 2016, with the Regulation to come into force two years later, early in 2018.
As the first major reform of European data protection law in 25 years, the Regulation is a monumental game-changer, a perspective well-summarized by Oxford lecturer Jeffrey Ritter. It also comes at a critical time in the EU’s current confrontation with the US over data privacy, demonstrating a political will to secure European human rights that puts muscle behind the legal gauntlet thrown down by the CJEU’s Schrems ruling. Terrorist attacks in Paris and Santa Barbara notwithstanding, it re-affirms the message that Europe will not tolerate sacrificing privacy on the altar of security.