The General Data Protection Regulation (GDPR) was recently approved by the 28 member states of the Council of European Union. By plenary vote, the European Parliament approved GDPR on April 14.
The GDPR will take effect two years after publication in the E.U. Official Journal, which is expected to be in May.
The GDPR, which strengthens and updates privacy protections for E.U. citizens has been three years in the making. Many hope it will create a standard for privacy protection across the E.U. rather than the patchwork of member state law that exists today even beyond the existing E.U. privacy directive, known as Directive 95/46/EC. For the two-year period until the GDPR takes effect, the E.U. would transition from Directive 95/46/EC into GDPR.
Meanwhile, although the European Commission issued an initial decision finding the U.S. Privacy Shield adequate to protect the privacy of E.U. citizens, more recently, a group of E.U. privacy regulators known as the Article 29 group recently expressed their opinion that Privacy Shield failed to adequately protect the mass collection of E.U. citizens’ data from US government surveillance. The Article 29 working group also expressed concerns about whether U.S. ombudsman, will have the power and independence from the U.S. government to hear and manage complaints from European officials, businesses and individuals.
The Article 29 Working Group’s opinion is expected to be considered by national data regulators within each member state and by the European Commission.