15 June 2015: Council of Ministers approves their version of the Regulation.

End of 2015: Anticipated date for the Regulation to be finalised and published.

End of 2017: Anticipated date for the Regulation to be implemented in all Member States.

On 15 June 2015 the European Council of Ministers approved their full draft of the European Union General Data Protection Regulation (GDPR). The Ministers, who represent the national interests of each Member State, have been negotiating the European Parliament's approved version of the GDPR since March of last year. After drip-feeding partial agreements of their general approach over the past twelve months, this is the first full draft we have seen from the Council.

While the Council's draft endorses some of the European Parliament's proposals, it is at odds with the Parliament text in many areas. For example:

  • The Council have opted to limit maximum fines for breach of the GDPR to the higher of 2% of an enterprise's worldwide turnover or €1 million, significantly lower than the Parliament's suggested maximum fines of up to €100 million or 5% of the entity's turnover;
  • The Parliament's proposal for any national data protection authority to act as a "one-stop-shop" for an organisation's compliance with data protection law throughout Europe has been significantly diluted in the Council's draft, meaning that organisations may still have to liaise with the supervisory authorities from different Member States where there is a cross-border data protection issue, as opposed to just one authority as envisaged by the Parliament;
  • The Parliament's draft made the appointment of a Data Protection Officer mandatory for data processors and controllers operating above a certain threshold. Under the Council's draft organisations may, but do not have to, appoint Data Protection Officers;
  • The Council's draft requires that "unambiguous" consent is sought from data subjects to process their data. The Parliament proposed that consent must be explicitly given and that the continued use of a service (for example of a website) would not constitute the giving of consent;
  • The Parliament's draft sought to narrow down the scope of the legitimate interest condition; the condition under which an organisation can legitimately process personal data. However, the Council's draft broadens the scope for relying on the legitimate interest condition, for example by introducing 'direct marketing' as a legitimate reason for processing.

The European Commission, European Parliament and Council of Ministers will now enter a closed door series of trilogue negotiations to agree the final text. This is scheduled to commence on 24 June 2015 in Brussels, well before the summer recess in August. Given the informal nature of EU trilogue negotiations, there is no clear deadline for the parties to come to a consensus on the final version of the GDPR. While there is increasing pressure to finalise the legislation quickly, the disparity between the Council's agreed general approach and that of the European Parliament means that negotiations could be slow. A final draft is unlikely to be concluded much before the end of this year.

Once the legislation is finalised there is likely to be a two year transition period that allows for all Member States to adapt to the new rules. On the current timeline, the GDPR could be in force throughout the EU by the end of 2017. Organisations (both inside and outside Europe) should examine the new rules very carefully to identify the changes that they need make to ensure that they are compliant with the GDPR before it comes into force.