Greetings from Brussels!

Following the ground breaking agreement on Tuesday evening by the EU negotiators on the GDPR texts, the European Parliament’s Civil Liberties, Justice and Home Affairs [LIBE] Committee approved this morning the data protection package, which was backed by 48 votes to four, with four abstentions. The next step will be a vote in full Parliament in the New Year. The agreement reached by the Luxembourg Presidency will also have to be confirmed at the level of the Council of the EU by the 28 member states and will be addressed by a COREPER meeting held before 21 December.

The new EU regulation is intended to create a uniform and consistent set of rules across the EU fit for the digital era. Moreover, it is intended to improve legal certainty and boost trust in the digital single market for citizens and businesses alike. Clear and affirmative consent to data processing, the right to be forgotten and strong fines for firms breaking the rules are all some of the new measure incorporated in the new regulation (our resource center is the best place for constant updates).

The new rules will replace the EU's current data protection laws, which date from 1995, when the internet was still in its infancy. To give you a picture of how long ago that was in tech terms, Mark Zuckerberg, CEO of Facebook, was all of 11 years old.  The new rules have been devised to give citizens more control over their own private information in an increasingly digitalized world of smart phones, social media, internet banking and global transfers. At the same time, they aim to ensure clarity and legal certainty for businesses. Business reaction remains cautious, and the question on many an executive’s lips—as well as lawyers'—is whether the legal environment is really conducive to boost innovation and further the development of the digital single market. There is the business argument that while Europe remains in a period of economic recovery, European citizens and businesses cannot afford regulation that unnecessarily stifles job creation, competitiveness and data-driven investment.

In addition to the GDPR regulation session of Tuesday night, the EU negotiators also thrashed out an accompanying directive that covers data transfers between law enforcement agencies across the Union. The LIBE committee also backed this initiative Thursday morning, approving the new rules by 53 votes to two, with one abstention--a slightly bigger margin in this stance, which is possibly explained by the recent terror attacks and threats in Europe.

The draft directive on the protection of individuals with regard to the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences will be the first instrument of its kind to harmonize 28 different law enforcement systems with respect to data processing for law enforcement purposes, as well as set minimum standards for data processing for each member state. This too will go before the full Parliament in spring 2016 for ratification.

Once both the Regulation and Directive are ratified, member states will have two years to apply the provisions of the GDPR regulation and transpose the provisions of the new directive into their national laws; quite the challenge. For business, this does not leave companies with an abundance of time to assess, plan and implement a compliance program to satisfy the significant change in the rules. There is substantial work on the horizon for a good many stakeholders, but especially you privacy pros.