bluedesign - Fotolia

European Parliament set to approve EU data protection law

The General Data Protection Regulation (GDPR) is ready for its final rubber stamp this week, with EU countries expected to pass it into law in two years

Europe’s much-awaited data protection regulation has received the green light from the European Parliament’s civil liberties (LIBE) committee.

The LIBE committee voted to adopt the final agreement on the General Data Protection Regulation (GDPR) with a majority of 50 for, compared with three against and one abstention. This leaves the way clear for the European Parliament to rubber stamp the law on Thursday 14 April 2016.

Jan Philipp Albrecht, the German Green MEP who spent the past five years steering the law through endless Parliament amendments and negotiations with EU member states, said it was a “success for citizens to have data protection as a ‘made in Europe’ trademark”.

He said: “It has been a huge project from the directive to the regulation on data protection. With the final vote on Thursday, we walk ahead towards protecting fundamental rights and creating a digital single market. The data protection regulation provides legal consistency and fair competition, this makes it a win-win situation for markets as well as for consumers and citizens.”

International privacy lawyer Eduardo Ustaran, of law firm Hogan Lovells, said: “The effects of the law will be felt across all industry sectors and well beyond Europe. This is the culmination of a legal reform directly aimed at steering the next stage of the digital economy.”

Once the regulation has been officially published – expected in coming weeks – European Union (EU) countries will have just two years to implement the new law.

But the GDPR will not pass alone. Part of the data protection package is an EU directive on data protection for law enforcement agencies. The directive is aimed at improving cooperation and exchange of information between police and judicial authorities, while establishing common standards for data protection across the EU.

Read more about EU data protection legislation

Lawmakers piggy-back PNR directive

In a political move, the GDPR was also tied to a deal to store the personal data of all airline passengers in the EU. The so-called Passenger Name Record (PNR) plan has been in the pipeline for many years, but has been resisted by many in the European Parliament over concerns that it constitutes “blanket surveillance”.

However, Dutch minister of justice, Ard Van der Steur, said: “The Brussels attacks of 22 March have once again underlined the urgency of the adoption of the PNR directive.”

Airlines will have to hand over passengers’ data to EU countries to help combat terrorism and other forms of serious crime. The data will be kept for five years, but after the first six months all personal identifying information will be will be “masked out”. Whether this identifying information could be reinstated at a later date under some circumstances remains a point of contention.

The PNR deal will be voted on by the Parliament on Thursday alongside the GDPR and the law enforcement directive. A final plenary debate will also take place on Wednesday – but this now appears a formality.

Read more on Privacy and data protection