Enforcement of Europe’s new data protection regime will begin May 25, 2018

On May 4, 2016, the final version of the European Union’s General Data Protection Regulation (“GDPR”) was published in the Official Journal of the EU. The GDPR, which will replace the EU’s current Data Protection Directive, will enter into force on May 25, 2016; however, enforcement of the GDPR will not begin until May 25, 2018, giving businesses and other entities subject to EU privacy and data security laws a two-year window to become compliant with the new data protection regime. In the interim, entities are expected to continue adhering to the Data Protection Directive until enforcement of the GDPR begins in 2018. Because the GDPR will bring a large number of changes to Europe’s data protection laws – including significantly higher penalties for non-compliance – businesses and other entities operating in EU Member States are encouraged to use this two-year window to make any changes to their data security and privacy practices necessary to be fully in-line with the GDPR by the time it comes into effect on May 25, 2018. More U.S.-based companies will be subject to EU privacy rules due to the expanded jurisdictional scope of the GDPR, which also gives expanded rights of consent and data portability and imposes many new responsibilities on service providers (so-called “data processors”) than before. We recommend that companies with activities in Europe begin this process as soon as possible. Future posts on Davis Wright Tremaine’s Privacy & Security Law Blog will discuss the impact of the GDPR and how to get ready for compliance in more detail.