Reform of the EU framework and the road to the GDPR
Divergent national measures and new technology pushed the Commission to reform the Directive. In January 2012 it published two proposals: a regulation (the future GDPR) and the Law Enforcement Directive. The reform promised a single set of rules, a right to be forgotten, data portability and tougher fines. After the four-year trilogue, agreement came on 15 December 2015; the GDPR entered into force 24 May 2016 and applied from 25 May 2018.
In 2010 the Commission set out a reform strategy and consulted publicly. In January 2012 it published two proposals: a regulation for a general EU framework and the Law Enforcement Directive for criminal-justice processing. Parliament proposed amendments in 2014, the Council added its own, and the three reached agreement through the trilogue on 15 December 2015.
- A single set of rules valid across the EU; notification requirements removed as costly
- Greater accountability for those processing personal data
- Dealing with a single ‘main establishment' DPA in some cases
- Explicit consent wherever consent is required
- Right to data portability and a right to be forgotten
- EU rules apply to non-EU firms active in the EU market
- Stronger DPA powers, with fines up to €1 million or 2% of global turnover (as proposed)
| Date | Event |
|---|---|
| 2010 | Commission sets out reform strategy and consults |
| January 2012 | Two proposals published (Regulation + LED) |
| 2014 | Parliament proposes amendments |
| 15 December 2015 | Trilogue agreement reached |
| 4 May 2016 | GDPR and LED published in the Official Journal |
| 24 May 2016 | GDPR enters into force |
| 25 May 2018 | GDPR becomes enforceable |
The 2012 proposal floated fines of €1 million or 2%. The final GDPR raised the top tier to €20 million or 4%. Don't mix the proposal's figure with the enacted one.