On 14 April 2016, the EU Parliament has approved the texts of the Regulation and Directive on personal data protection. The new “data protection package” has the objective of updating the European regulations, which date back to 1995 – that is, to a time when many of the new technologies did not even exist – and affording to the citizens, in the Internet and social networks era, a greater control on their personal information. Main innovations of the Regulation are (i) the “right to be forgotten”, that is the right of the interested parties to delist a web page or information on the web; (ii) the “right to data portability”, that is, the right to obtain return of one’s own data transmitted to an on line service and to transfer them to others (e.g., social networks); and (ii) the “consent”, which must be effective and unequivocal. On the other hand, the Directive provides, for the first time, for common rules for all member states regarding the processing of data by the police and judicial authorities for investigation purposes. In the next few months, the texts will be published in the EU Official Journal. The Regulation, which will enter into force 20 days from publication, will be directly applicable within two years to all member States, which shall have two years to transpose the provisions of the Directive. Therefore, in two years the new “data protection package” will override the Italian Data Protection Code and the confidentiality laws in force in other EU member states.