We have crossed the Rubicon. Several years of tortuous haggling, drafting and editing have culminated in the new General Data Protection Regulation, which will become the bedrock for EU data protection law. In the last couple of hours, the European Parliament has voted on and approved the final agreed text of the GDPR. The GDPR is expected to come into force around mid-2018. You can read the final text here, and (courtesy of @PrivacyMatters), you can find a photo here of the GDPR’s champion, Jan Albrecht, smiling at the outcome, in his trademark jaunty stiped shirt and jacket.

In the meantime, the immediate future of EU-US personal data transfers is much less certain. Chris Knight has previously explained the ‘Privacy Shield’, a kind of emergency sticking plaster measure introduced in the wake of the Schrems litigation, which killed off the Safe Harbor arrangements for transatlantic transfers. The Article 29 Working Party – perhaps the EU’s most authoritative voice on data protection matters – has this week endorsed aspects of Privacy Shield as an improvement on Safe Harbor. Crucially, however, the A29 WP is far from convinced that Privacy Shield is up the answer. It has ‘strong concerns’, which you can read about here. No Rubicons crossed on this issue just yet.

Robin Hopkins @hopkinsrobin