December was a busy month in Europe for data security and breach reporting with representatives of the European Parliament, Council and Commission agreeing to a sweeping new data protection regulation, the General Data Protection Regulation (GDPR) in the “trilogue” process. The GDPR toughens European data privacy law, already at odds with U.S. privacy law, by issuing heavier fines for non-compliance and by imposing more stringent obligations for both data controllers and processors. It also expands the territorial scope to apply to any company processing data in the E.U. and companies outside the E.U. who offer goods and services to, or monitor the behavior of, E.U. residents. European Justice Commissioner Vera Jourova said that E.U. citizens and businesses “will profit from [these] clear rules that are fit for the digital age,” but many companies claim that the new law is less clear than originally hoped. The trilogue also announced its agreement on the proposed Network Information Security Directive, which is aimed at improving cybersecurity capabilities and mandating breach reporting in certain sectors. Latham & Watkins partner Gail Crawford explains the key points of each of these legal developments and what they mean for companies. See also “Seeking Solutions to Cross-Border Data Realities” (Aug. 26, 2015).