The European Union (EU) General Data Protection Regulation (GDPR) is one step closer to replacing the EU’s 1995 data privacy directive, known as 95/46/EU. In late June, the Council of Ministers from the EU member states approved a general approach to the GDPR. The European Parliament, the European Council and the European Commission (EC) are now negotiating the GDPR approach and wording, which is widely expected to result in enactment of a final regulation by early 2016, with an effective date a year or more later.

Once adopted, the GDPR regulation would apply directly to EU member states without the need for each state to pass legislation. This means one uniform set of EU data protection requirements for regulators, businesses and individuals. This is different than the existing EU scheme under the 1995 data privacy directive, where each member state has slightly different requirements. That is because under EU law, a directive must be adopted by each state, and as a result, it is often modified, resulting in varying requirements. U.S. companies will benefit from the consistency the harmonized approach will bring, even if some of the requirements are stricter than the current EU directive.

U.S. companies are likely to focus on any further restrictions the GDRP makes in the U.S. safe harbor program allowing personal data to be transferred outside the European Union. Changes could include additional data protection and contractual provisions as well as binding corporate rules. It is expected that the U.S. Safe harbor scheme will survive, in substantially the same form, in part due to the large volume of U.S/U.K trade.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.