On Friday, 25 May 2018, a new EU Regulation, the General Data Protection Regulation (GDPR), relating to the protection of citizens’ right to privacy, and the modernisation of data protection laws in the EU, came into effect. The GDPR aims to give individuals greater control over how their personal data are processed and used.
Background
The General Data Protection Regulation (GDPR) aims to give European Union (EU) citizens greater control over their personal data. Individuals’ fundamental rights to privacy and to the protection of their personal data are enshrined in the EU Charter of Fundamental Rights. The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. This includes any information that could be collectively used to identify an individual such as names, email addresses, photos, and bank details.
Prior to the introduction of the GDPR, the Data Protection Directive (Directive 95/46/EC) adopted in 1995 protected individuals by regulating both the processing and the free movement of personal data within the EU. The GDPR, alongside a directive on data transfers for policing and judicial purposes, replaces the 1995 Directive which was adopted at a time when the internet was still a new phenomenon, and modernises its principles with the aim of providing regulation fit for purpose in the digital era. As well as this, the GDPR aims to increase efficiency in the EU’s Digital Single Market by harmonising the EU’s regulatory environment with regard to personal data.
In January 2012, the European Commission issued a proposal for wide-ranging reform of the EU’s 1995 data protection rules due to the need to “build a stronger and more coherent data protection framework in the EU” to accompany developments in technology and increased online activity.
Three-way institutional negotiations on the GDPR between the European Commission, the Council of the EU, and the European Parliament began in June 2015. These talks continued for six months, until an informal agreement was reached in December 2015.
After further work on the proposed legislation, the GDPR was adopted by the Council of the EU on 8 April 2016 and the European Parliament voted to approve the GDPR on 14 April 2016. The GDPR subsequently entered into force on 24 May 2016 and Member States then had exactly two years to transpose it into national law before the GDPR became directly applicable in all EU countries on 25 May 2018.
The Principles of the GDPR
The GDPR introduces a number of rules to reinforce the rights of the individual by giving citizens greater control over the use of their personal data. The GDPR also aims to strengthen trust in the EU’s Digital Single Market. Any company that operates within the EU, whether they are established inside or outside of the EU, must be GDPR compliant by 25 May 2018. This means that large multinational companies such as Facebook and Google must abide by the new Regulation when operating within the EU. The GDPR also acts to protect the exportation of individuals’ personal data outside of the EU.
The GDPR establishes that personal data should be processed “lawfully, fairly and in a transparent manner”, and that personal data should be collected for “specified, explicit and legitimate purposes”. The Regulation also includes the principle of ‘data minimisation’ whereby the personal data collected by organisations should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
The GDPR establishes the principle of ‘accuracy’ and that “every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay”. The Regulation includes the principle of ‘storage limitation’, whereby personal data are kept for no longer than is necessary for the purposes they were collected by an organisation. It also establishes the principle of ‘integrity and confidentiality’ in regards to personal data, whereby firms have a duty to ensure that personal data are “processed in a manner that ensures appropriate security” of that data.
Enforcement
The new legislation aims to establish a ‘one-stop-shop’ for data rules and regulation to increase efficiency and improve regulatory oversight within the EU’s Digital Single Market. In contrast to the multitude of national laws surrounding data protection which has existed throughout the EU previously, the Regulation establishes the European Data Protection Board (EDPB) which is tasked with ensuring the consistency of the application of the GDPR throughout the EU.
Under the new Regulation, organisations in breach of the GDPR may face fines of up to four per cent of their total global turnover, or €20 million, whichever amount is greater. The GDPR also stipulates that any company that handles sensitive personal data on a “large scale” must appoint a Data Protection Officer.
On 24 May, European Commission Vice-President for the Digital Single Market, Mr Andrus Ansip, stated: “The new rules ensure that citizens can trust in how their data is used and that the EU can make the best of the opportunities of the data economy.”