You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EU General Data Protection Regulation

  • Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)
  • More top news »
  • Data Flow Deal Talks Fail Due to Lack of US Action on Privacy » (Jun. 17, 2021)
    The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court.
  • EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws » (Jun. 10, 2021)
    EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE]
  • U.S. Releases Annual Human Rights Report » (Mar. 14, 2019)
    The U.S. Department of State has released the annual report on human rights practices across the globe. The State Dept. report reviews adherence to "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements," including the arbitrary or unlawful interference with privacy. The 2018 report highlights China's social credit system which "quantifies a person's loyalty to the government by monitoring citizens' online activity and relationships." The report also cites the Indian Supreme Court ruling that privacy is a fundamental right and Turkish authorities' investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications - The Privacy Law Sourcebook 2018 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges.
  • Zuckerberg Confirms Global Compliance with GDPR » (Apr. 11, 2018)
    In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process."

Background

The European General Data Protection Regulation (GDPR) is a significant update to Europe's comprehensive privacy law. The GDPR will become applicable on May 25, 2018. After a long negotiating process, the GDPR was finalized in April 2016. The update strengthens data protection under law, providing new data protection rights to individuals and responsibilities for entities handling personal data. The GDPR applies to all entities which process European consumers' personal data. The framework harmonizes data protection rules across the EU, simplifying legal obligations and providing certainty for businesses. Both the public and private sectors are covered by the GDPR, though the public sector has the benefit of certain exceptions from the law's requirements. Among its many provisions, the rules give data subjects specific new rights from a right to object to a right to information, creates independent supervisory authorities, establishes a new European Data Protection Board, requires a lawful basis for an entity to process any personal data, mandates data breach notification within 72 hours, and enhances penalties for noncompliance up to %4 of global revenue.

The reform of European data protection rules built on the previous data protection regime - the Data Protection Directive, or Directive 95/46 - which went into effect in October, 1998. The GDPR will replace this law and preempt member state law. Importantly, the law also builds on the fundamental rights to privacy enshrined in Article 7 and data protection in Article 8 of the European Charter of Fundamental Rights.

EPIC publication the Privacy Law Sourcebook: United States Law, International Law, and Recent Developments (2016) includes the full text of the GDPR and is available in the EPIC bookstore .

Chapter Overview of the GDPR

Chapter 1 - General provisions

Chapter 2 - Principles

Chapter 3 - Rights of the data subject

Chapter 4 - Controller and processor

Chapter 5 - Transfers of personal data to third countries or international organisations

Chapter 6 - Independent supervisory authorities

Chapter 7 - Cooperation and consistency

Chapter 8 - Remedies, liability and penalties

Chapter 9 - Provisions relating to specific processing situations

Chapter 10 - Delegated acts and implementing acts

Chapter 11 - Final provisions

Chapter 1: General Provisions

This Chapter explains the reach of the GDPR and key definitions. The GDPR generally applies when personal data of a data subject is processed. Personal data is information that can identify an individual (including some pseudonymized data if it can be linked back to an individual, but not fully anonymous data). Certain sensitive data, like biometrics, warrant heightened protection. Processing is broadly defined and includes may types of activities related to handling data, like collection, transmission, and storage. The Regulation applies to controllers, those who direct the purposes and means of how data is processed, and processors, those that actually process the data on behalf of the controller. The GDPR applies to both the public and private sectors, but data that falls under a law enforcement data regulation or is processed for national security purposes is not covered. The GDPR applies to all companies which process European consumers' personal data.

Chapter 2: Principles

General Principles for Processing Data

Article 5 of the GDPR sets out key principles applicable to all processing of personal data. Data must be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Lawfulness of processing

One of six lawful bases for processing must be present before any processing can occur:

Consent of the data subject - Where data subject's consent to processing is made by clear affirmative action (opt-in) establishing a freely given, specific, informed and unambiguous indication. The GDPR significantly strengthens the requirements for consent.

Contract - Where processing is necessary for the performance of a contract with the data subject or to form a contract with the data subject.

Legal obligation - Where processing is necessary to comply with a legal obligation of the controller.

Vital interests - Where processing is necessary to protect life and limb.

Public interest - Where processing is necessary for a public authority's official responsibilities, whether carried out by a public entity or private organization.

Legitimate interests - Where processing is necessary for the legitimate interests of the controller or third party, except where overridden by the interests or fundamental rights and freedoms of the data subject.

Other
There are also provisions for processing of special categories of personal data and data related to criminal convictions and offenses, processing which does not require identification.

Chapter 3: Rights of the Data Subject

The GDPR also provides a series of rights to data subjects:

The right to be informed - When their data is collected, data subjects must be informed about the purposes for which the data will be processed, the categories of personal data obtained, how long it will be retained, and more.

The right of access - Data subjects have a right to information about whether their data is being processed, and, if so, have a right to access their personal data which is being processed.

The right to rectification - Data subjects have a right to correct their personal data or complete any data which is incomplete.

The right to erasure - Data subjects have a right to erasure of personal data which has been collected (i.e. a right to be forgotten) in certain circumstances, including that the data is no longer necessary for the purposes it was collected.

The right to restrict processing - Data subjects have a right to request that an entity limit the processing of his or her data in certain circumstances, for instance where the individual alleges the data is incorrect or is being unlawfully processed.

The right to data portability - Data subjects have a right to obtain their data from a service and transmit it to another service for use.

The right to object - Data subjects have a right to object to processing based on "legitimate interest", to direct marketing, and to processing for research purposes.

Rights related to automated decision making and profiling - Data subjects have special rights when they are profiled, i.e. automated processing of personal data where certain aspects of the person are evaluated, and heightened rights where a fully automated decision is made about him or her that has legal or similarly significant effects. The data subjects have a right not to be subject to fully automated individual decisionmaking where it has legal or similarly significant effects. If they are subject to such decision making, data subjects have a right to know they are subject such decision making, and to the logic of the processing and the significance/consequences of the decision.

Chapter 4: Controller and Processor

The GDPR imposes specific responsibilities on controllers and processors. Among the most important are:

Data protection by design and by default - Technical and organizational measures must be implemented to advance data protection principles.

EU representative - Entities outside the EU but subject to the GDPR must have a representative in the EU.

Recordkeeping - Records of processing activities must be kept.

Security of processing - Technical and organizational measures must be implemented to ensure security, like pseudonymization and encryption.

Notification of data breach - Within 72 hours of becoming aware of a data breach that poses a risk to individual rights and freedoms, a supervisory authority must be notified. Data subjects must be notified without undue delay.

Data protection impact assessments (DPIAs) - An assessment of the risks to data protection is required processing runs a high risk for individual rights, and must consult a supervisory authority before processing where the DPIA indicates a high risk is no protective measures are taken.

Data protection officers - DPOs must be appointed to oversee and advise on compliance issues if the entity is a public authorities, or an entity with core activities involving large scale, regular and systematic monitoring of individuals or large scale processing of special categories of data or data concerning criminal convictions and offenses.

Chapter 5: Transfers of personal data to third countries or international organisations

The transfer of personal data outside the EU is limited unless data protection guarantees under the GDPR will be maintained - for instance, transfers are permitted where there is a European Commission decision that the transfer country provides an adequate level of protection, or adequate safeguards are put in place with entity receiving the data by utilizing a "standard contractual clause" to govern the transfer data.

Chapter 6: Independent supervisory authorities

Each member state must provide for one or more independent supervisory authorities, with the aim of consistent application of the GDPR throughout the EU. The authorities will monitor and enforce application of the GDPR, propose public, controller, and processor awareness of the GDPR’s requirements, conduct investigations, provide advice, issue corrective orders and fines, and more.

Chapter 7: Cooperation and consistency

This Chapter provides a system of coordination between independent supervisory authorities so to establish a common approach to enforcement if the GDPR. Authorities must also assist one another in implementing the GDPR, for instance by providing information on investigations, and they carry out undertake joint operations. The text also requires establishment of a "consistency mechanism" to support coordination between authorities. Authorities can take emergency measures to protect data subject rights for a period of up to three months.

The GDPR also establishes a European Data Protection Board, an official body of the EU. The Board will be composed of a chair and two deputies elected from among its members, one supervisory authority of each Member State, and the European Data Protection Supervisor. It will absorb the influential Article 29 Working Party, an advisory group of DPAS. It will resolve disputes among authorities and issue guidelines, recommendations and best practices.

Chapter 8: Remedies, liability and penalties

Individuals have the right to lodge complaints with a supervisory authority and a right to challenge in court an authority's legally binding decision concerning them.

Chapter 9: Provisions relating to specific processing situations

Chapter 9 sets out special standards for specific processing situations. Among these are the requirement for states "reconcile the right to the protection of personal data... with the right to freedom of expression and information"; allows the personal data in official documents involving performance of a public task to be disclosed to advance transparency and access to information; permits member states to set conditions for processing national identification information; gives member states the right to set more specific rules in the employment context;

Chapter 10: Delegated acts and implementing acts

The European Commission is authorized to adopt delegated acts further developing and implementing the GDPR provisions, which the European Parliament and Council will have an opportunity to object to.

Chapter 11: Final Provisions

Chapter 11 concludes certain practical aspects of implementation, including repealing the previous data protection directive and setting May 25, 2018 as the date of GDPR's applicability.

EPIC's Interest

EPIC and EU and US consumer groups advocated for adoption of the, GDPR stating that it provides "important new protections for the privacy and security of consumers."

In testimony before Congress, EPIC President Marc Rotenberg has called for comprehensive U.S. privacy legislation and the creation of a federal data protection agency. EPIC and the Trans Atlantic Consumer Dialogue (TACD) have explained that the GDPR's core protections are ones that all users should be entitled to no matter where they are located.

EPIC has also historically advocated for US ratification the Council of Europe Convention 108, also known as the International Privacy Convention. This is the first binding international legal instrument on data protection, and is open to any country, including non-members of the Council of Europe.

Resources

  • General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Jan Philipp Albrecht, Marju Lauristin, Vera Jourová, New data protection rules fit for our digital age (Apr. 14, 2016)
  • Colin J. Bennett, The European General Data Protection Regulation: An instrument for the globalization of privacy standards?, Information Polity, Apr. 28, 2018)
  • EPIC, Privacy Shield EU-U.S. Data Transfer Arrangement
  • EPIC, Schrems v Data Protection Commissioner (International Data Transfer Cases - I & II)
  • EPIC, EU-US Umbrella Agreement
  • EPIC, Algorithmic Transparency
  • EPIC, CLOUD Act
  • Article 29 Working Party
  • International Working Group of Data Protection in Telecommunications
  • EPIC, Comments to the UK Privacy Commissioner on DPIAs (April 12, 2018)
  • TACD, Letter to Facebook Urging GDPR Compliance Globally (April 9, 2018)
  • News

  • Now Facebook confronted by overseas data-privacy fight, WND, April 14, 2018
  • After Facebook hearings, users want to know: who's protecting my data?, USA TODAY, April 12, 2018
  • It would have taken more than privacy laws to prevent the Cambridge Analytica scandal, The Hill, April 11, 2018
  • Is This European Law Behind Facebook's Privacy Shift, Newsweek, April 2, 2018
  • Congress Passes CLOUD Act - Probably Will Moot Microsoft Cloud Case Before Supreme Court, InfoQ, March 30, 2018
  • Experts warn Congress tech world won’t protect privacy by itself, WND, March 8, 2018
  • US politicos wake up to danger of black-box algorithms shaping all corners of American life, The Register, December 2, 2017
  • Max Schrems launches privacy NGO, wins €60k within first 24 hours, The Register, November 29, 2017
  • The Equifax Breach Exposes America's Identity Crisis, WIRED, September 9, 2017
  • Share this page:

    Defend Privacy. Support EPIC.
    US Needs a Data Protection Agency
    2020 Election Security