Data Protection Agreement to Bring Major Changes to EU Privacy Law

Yesterday, the European Union Parliament and European Council negotiators reached agreement on the long-awaited General Data Protection Regulation (GDPR). Member States will have two years to comply with the regulation once it is formally passed in early 2016. The Center for Democracy & Technology (CDT) welcomes the agreement, but remains concerned about a number of aspects.

“The agreement is an important milestone for the protection and advancement of privacy as a basic human right. As new technologies and business models emerge in our interconnected world, strong regulations and protections of the individual’s personal information become even more important,” said Katharina Kopp, CDT’s Director of the Privacy and Data Project.

The goal of the data regulation reform was to replace the existing patchwork of national laws with one common regulation, to adapt the rules to the digital era and to reduce administrative burdens. CDT expressed support for these goals, but also raised concerns about a number of issues.

“An important question is whether this Regulation will be implemented in a uniform way across the EU. That would give European businesses a stable regulatory environment in which to operate. Other issues we need to look at is how the text on Right to Be Forgotten, and international data transfers, will be interpreted,” said Jens-Henrik Jeppesen, CDT’s Director of European Affairs.

The Regulation agreement is the outcome of almost four years of negotiations among European Union institutions and is now the second baseline privacy regulation advanced in Europe. CDT has long advocated for similar baseline privacy legislation in the US – a goal that has proven elusive

With the final text of the GDPR not yet having been released, CDT plans to further analyze the agreement to assess its potential full impact as more information is available. CDT will offer our perspectives on a number of aspects of the new regulation, and will continue to debate these issues with regulators, industry, and other privacy groups. Key issues we will be exploring include the Right to Be Forgotten, territoriality concerns, pseudonymous data, parental consent, and liability.