On December 15, 2015, European officials issued a Press Release announcing an agreement to enact common standards for data protection across all 28 member states to “put an end to the patchwork of data protection rules that currently exists.” The rules do not go into effect until the European Parliament and the national governments of the EU member states consider and formally adopt them in 2016, which is widely expected. The rules would become effective two years after adoption. The General Data Protection Regulation (“GDPR”) and Data Protection Directive would codify the rules.
Compared to the current Data Protection Directive 95/46/EC in effect since 1995 (“1995 Directive”), the GDPR strengthens data protection in several notable ways, including, among other things: (i) applying privacy rules to entities based outside the EU; (ii) imposing large multi-million Euro administrative fines for violating a variety of EU data privacy requirements; (iii) codifying the “right to be forgotten,” (iv) requiring notification of data breaches to regulators within 72 hours; (v) requiring notification to data subjects under certain circumstances; and (vi) requiring parental consent for children under the age of 16, including on social media sites.
Please see full publication below for more information.