On March 17, 2016, the Council of the European Union (the “Council”) published a Draft Statement (the “Statement”) regarding the Council’s position at first reading with respect to the adoption of the EU General Data Protection Regulation (“GDPR”). The Statement follows a political agreement on the draft GDPR reached by the Council on February 12, 2016.
The Statement provides an analysis of the Council’s first reading of the GDPR, including the Council’s general observations as well as key issues identified by the Council.
The Council’s key issues focus on the following topics:
- scope of application of the GDPR;
- principles related to personal data processing;
- lawfulness of data processing;
- empowerment of data subjects through reinforced data protection rights and obligations imposed on data controllers;
- responsibility and liability for any processing of personal data by data controllers or processors;
- transfer of personal data to third party countries or international organizations;
- role of supervisory authorities;
- cooperation and consistency mechanism;
- remedies, liabilities and penalties; and
- specific data processing circumstances, such as the processing of personal data in the workplace.
In the Statement, the Council confirms that its position at first reading reflects the compromise reached between the Council and the European Parliament (“Parliament”). Further, the Council invites the Parliament to formally approve the Council’s position, without amendments.
The Council will formally adopt its position during the next Justice and Home Affairs Council meeting on April 21, 2016. Once formally adopted, the Council’s position at first reading will be sent to Parliament. Then, the Parliament’s Civil Liberties Committee will vote on a recommendation on the Council position, as a basis for the Parliament’s second reading, to be voted in plenary session late May or early June.
Once adopted, the GDPR will be submitted for signature by the President and Secretaries-General of Parliament and the Council during the same plenary session. The GDPR will be published in the Official Journal shortly after the signing. Thereafter, the GDPR will enter into force 20 days after its publication in the Official Journal and is expected to be fully applicable two years after its entry into force.