Member States Formally Approve EU Privacy Regulation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

April 8 — The Council of the European Union April 8 signed off on the bloc's landmark General Data Protection Regulation (GDPR), as a formality ahead of final adoption of the text by the European Parliament, which is expected to take place April 14 during a plenary session in Strasbourg, France.

The formal agreement to the text of the GDPR by the council—which represents the EU's 28 member states—was the latest step in the ratification process, following an initial sign-off from the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) in December 2015 after the regulation was informally agreed by parliament and council negotiators .

LIBE will vote again April 12 to confirm its approval of the text, ahead of the European Parliament plenary vote.

Thereafter, the GDPR is likely to be published in the EU Official Journal in May, and would apply across the EU in May 2018, following a two-year transition period.

The text approved by member states had been through “legal and linguistic revision” since the informal deal at the end of 2015, and was now “the same thing legally speaking” in all official languages of the EU, Romain Sadet, council spokesman, told Bloomberg BNA April 8.

The GDPR will regulate commercial data processing in the EU and will, among other things, place more obligations on data controllers , strengthen enforcement with potentially heavy fines, impose EU rules on the processing of the data of EU citizens, wherever that processing takes place and introduce new rights for data subjects.

Alongside the GDPR, the council also approved a directive on the processing of data for law enforcement purposes. The European Commission, the EU's executive arm, proposed the regulation and directive together in January 2012 to replace EU data protection rules that date back to 1995.

The council said in a statement that the directive would protect “personal data processed for prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties,” and would also cover the “safeguarding and prevention of threats to public security.”

Passenger Name Record

In addition to voting April 14 on the GDPR and the law enforcement data processing directive, the European Parliament will vote on an EU directive on the provision of passenger name record (PNR) data by airlines to law enforcement agencies.

The PNR directive was first proposed in 2011 , but was blocked by LIBE in 2013 because of concerns that it would allow excessive collection and retention of personal data . The directive was revived after terrorist attacks in Paris in January 2015, and narrowly passed a second LIBE vote in July 2015 .

The GDPR is likely to be published in the EU Official Journal in May, and would apply across the EU in May 2018, following a two-year transition period.

The directive would oblige EU member states that don't already have systems to transfer PNR data to establish them, and will harmonize privacy protections for PNR data. The directive, which was approved by the LIBE committee in December 2015, would be mandatory for flights into and out of the EU .

Jan Philipp Albrecht, the German Green lawmaker who led negotiations on the GDPR on behalf of the European Parliament, said in a statement April 7 that the data protection regulation “makes the vision of a common EU-wide level of data protection a reality,” while the directive on law enforcement data processing would be “the basis for a better exchange of information” between police forces.

However, the PNR directive was “the wrong way” because it would impose “blanket data retention,” whereas recent terrorist attacks in Belgium and France showed that information was available but wasn't being exchanged, he said.

Ard Van der Steur, the Netherlands justice minister, which presently chairs the Council of the EU, said in a statement April 8 that terrorist attacks in Brussels in March had “once again underlined the urgency of the adoption of the PNR directive.”

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Jimmy H. Koo at

For More Information

The GDPR text approved by the Council of the EU April 8 is available at

The text of the directive on data processing for law enforcement is available at

Request Bloomberg Law: Privacy & Data Security