This paper presents an overview of the substance of the EU’s new General Data Protection Regulation in the light of the definitive text agreed in the Trilogue. The author also supplies background information about the legislative procedure, in which he himself was actively involved, throughout the period of more than four years that it took, as rapporteur on behalf of the European Parliament. It contains a structured presentation of the new data protection law and places the provisions in their historical context, in the hope that this will help people to understand this important instrument.The article first outlines the definitive status of the Regulation’s text and explains its historical dimension (I.). After that the Regulation’s territorial and substantive scope is presented (II.) before the new definitions of personal data and of the concept of consent are highlighted (III.). Further, the new principles and conditions for data processing and its lawfulness are outlined (IV.) as well as the new individual rights for data subjects across Europe (V.) are contrasted with the new obligations of data processors (VI.). The article then addresses the new provisions on the transfer of personal data to third countries (VII.) and presents the innovative new supervisory model and the elaborated system of new obligatory sanctions (VIII.). Finally, the article covers the remaining issues of protecting sensitive data, minors and Member States’ sensitivities as well as delegated acts and the Regulation’s date of applicability (IX.) before concluding with an encouraging outlook for the future (X.).

Modern technology permits governments, state agencies, commercial entities and businesses to obtain, retain and utilise (for all sorts of reasons), at the flick of a switch, swathes of personal and private data, both content and meta data. This creates many challenges, not least Pandora’s box of delights having been opened, how to strike the right balance between protecting the public from genuine threats to security while safeguarding fundamental rights such as privacy and freedom of expression. No one seriously disputes that law enforcement and intelligence agencies needed to have investigatory powers, which may be intrusive, and may need to be conducted in secret. However, use of these powers cannot be unlimited and must be subject to the rule of law (i.e. must be clear and certain, legitimate, transparent, necessary and proportionate); further the executive must be properly accountable and there must be proper access to justice. There is a battle going on across many fronts and involving many players (ISPs, telecommunications companies, business, individual users, traditional media, social media, state agencies) in different jurisdictions over who should have ownership and control of information and what jurisdictional norms should apply and prevail in that battle.

Negotiations for two international trade agreements, in which the EU Commission is envolved, are suspected of watering down EU data protection standards. The first agreement concerns the bilateral Transatlantic Trade and Investment Partnership (TTIP) between the European Union and the U.S.A., the second is the plurilateral Trade in Services Agreement (TiSA) between the European Union and 22 members of the World Trade Organisation (WTO), particularly Australia, Canada, Japan, New Zealand, Switzerland, Turkey and the U.S.A.According to the Lisbon Treaty, international trade agreements which are binding for the 28 EU Member States have to be negotiated by the EU Commission (Art. 207; 218 TFEU) based on a mandate by the European Council. The European Council is entitled to adopt a trade agreement only after its approval by the European Parliament (Art. 218 (6)(a)(1v); 207 (1)–(3) TFEU). Council and Commission have to ensure that the agreements negotiated are compatible with EU rules (Art. 207 (3) TFEU).