EU General Data Protection Regulation

Summary

The European Commission proposed a reform of EU data protection rules in January 2012 to make Europe fit for the digital age. After a long negotiating and adopting process the General Data Protection Regulation (GDPR) became final in the spring of 2016. The purpose of the GDPR is to strengthen the fundamental rights of individuals and put users back in control of their personal data. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. The single law will also tackle fragmentation of rules and provide legal certainty for businesses. The comprehensive data protection legislation will fully enter into force on May 24, 2016. The reform legislative package also includes the new Law Enforcement Data Protection Directive (LEDP).

Background

The reform of European data protection rules was built on the current Data Protection Directive (Directive 95/46 of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). The Directive was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed. The Directive went into effect in October, 1998.

The EU has recognized the need to update its laws to achieve the so-called Digital Single Market. One of the objectives of the Digital Single Market Strategy was to conclude negotiation on common EU data protection rules.

Timeline of the Final Adoption Process

December 15, 2015: The European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties committee and the Permanent Representatives Committee (Coreper) of the Council then approved the agreements with very large majorities. December 17-18, 2015: The agreements were also welcomed by the European Council. April 8, 2016: The Council adopted the GDPR and the LEDP. April 14, 2016: The GDPR and the LEDP were adopted by the European Parliament. May 4, 2016, the official texts have been published in the EU Official Journal in all the official languages. While the GDPR will enter into force on May 24, 2016, it shall apply from May 25, 2018. The LEDP enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

Main Elements of the GDPR

The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age, said European Parliament Member Jan Philipp Albrecht. The main principle is that the GDPR must provide the same or higher level of personal data protection than the 95/46 Directive.

The main achievement of the GDPR is to provide clearer and more understandable information on how Europeans’ personal data is processed. People will have a right to know when their data has been hacked under the data breach notification rules. It has been long overdue to secure data portability for users which allows for the transfer of personal data between service providers. The GDPR further clarifies the “right to be forgotten” that ensures the right to request search engines to remove links leading to personal information under certain conditions. The new rules create the ground for closer coordination between the data protection supervisory authorities within a European Data Protection Board. The new rules encourage privacy-friendly techniques such as pseudonymisation and data protection by design, and also promote encryption. It is an important overall rule that non-EU companies will have to apply the same rules as EU companies when offering services in the EU.

The GDPR strengthens the concept of consent as a basis for collecting and using individuals’ personal data, Individuals must give consent to the processing of their data. The rules require “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication”. That means that simply having an opt-out mechanism — for instance, one where users must uncheck a box to indicate that they do not want their data used — will not be accepted as true consent.

In the era of big data a major step forward is the right to object to profiling which can be invoked when the user’s information is gathered to be evaluated, analysed, and used to predict her behaviour and make assumptions. This practice is almost all the time discriminatory and against the right to privacy.

On the enforcement side, data protection authorities can fine companies committing serious data protection infringements up to 4% of their total worldwide annual turnover.

Despite the overall positive outcome of the GDPR, Access Now and EDRi have expressed serious concerns about caveats in the text that could negatively impact the application of the new rules and the level of data protection. According to the analysis of Access Now, the most important loopholes concern the following issues:

  • Unclear ‘legitimate interests” clause for private sector data collection. Just as the 1995 Directive provided, the regulation lets companies collect users’ personal data for their ‘legitimate interest’ — an umbrella term that creates a significant loophole, since it goes against the concept of users having control over their data.
  • Member states could also use data for broadly defined purposes. Member states could infringe users’ rights if there is a ‘national security’, ‘defence’, or ‘public security’ concern. These are sweeping terms that EU legislators have used to make the legislative process opaque.
  • Some confusion on age of consent for using online services. One of the last-minute changes to the GDPR concerns when there is no longer a need for parents to give consent before a child can enter data to use online services. It looked as though parents of children under 16 would be required to give consent, but now the age is a range from 13-16, with each member state free to determine the age individually. Leaving this decision up to each and every member state will not achieve the goal of harmonised rules across the EU.
  • Lack of clarity on how to apply the rules. The compromise achieved in this regulation lacks ambition in crucial parts of the text. The GDPR allows for more than 30 exceptions where EU countries can decide how to apply the rules.
  • EDRi published two documents in which they offer a summary and a detailed analysis of the provisions of the GDPR that allows for flexibilities for EU Member States in how to apply and interpret the new rules. Unfortunately there are almost as many flexible provisions in the GDPR than there are in the preceding Data Protection Directive which goes against the original harmonizing purpose. Governments and data protection authorities should “implement the GDPR in a way which protects the essence of the right to data protection by implementing the most privacy friendly interpretation of these flexibilities”.

    Law Enforcement Data Protection Directive (LEDP)

    The LEDP’s original goal was the protection of personal data in the context of the use by “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties”. Organizations like the European Digital Rights initiative (EDRi) have criticized the final text for including “safeguarding against and the prevention of the threats to public security”. It is not clear whether or how it will relate to any activities of intelligence agencies that fall outside of EU legal competence, but where the EU itself, for example through Europol, is increasing its activities. The Directive contains numerous loopholes which, if not carefully addressed, will undermine the already fragile data protection regime.

    The new directive will allow for smoother cooperation and exchange of information between member states’ police and judicial authorities based on a common standard of data protection. The risk is, however, that the directive allows massive transfer of data from law enforcement agencies in the Member States (inside the Directive’s scope) to the respective national security agencies (outside the Directive’s scope).

    EPIC's Interest

    EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers."

    EPIC supports the ratification of an international privacy framework. Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention.

    EPIC has provided expert opinion to decision makers during the negotiations about data transfers between the EU and the US. EPIC has urged both sides to respect the decision of the Court of Justice of the European Union in the Safe Harbor case and provide adequate protections for personal data in transatlantic transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement.

    Resources

  • European Commission, Reform of EU data protection rules (2016)
  • General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Law Enforcement Data Protection Directive (DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA)
  • EPIC webpage, EU Data Protection Directive (2016)
  • Diego Naranjo, Proceed with Caution: Flexibilities in the General Data Protection Regulation, EDRi (July 5, 2016)
  • EPIC webpage, Privacy Shield EU-U.S. Data Transfer Arrangement (2016)
  • EPIC webpage, EU-US Umbrella Agreement (2016)
  • Diego Naranjo, Data Protection Directive on law enforcement: The loopholes, EDRi (Nov. 18, 2015)
  • Jan Philipp Albrecht, Marju Lauristin, Vera Jourová, New data protection rules fit for our digital age (Apr 14, 2016)
  • EPIC webpage, Max Schrems v Irish Data Protection Commissioner (Safe Harbor), (2016)
  • Share this page:

    Support EPIC

    EPIC relies on support from individual donors to pursue our work.

    Defend Privacy. Support EPIC.

    #Privacy

    EPIC Bookstore

    Communications Law and Policy

    Communications Law and Policy
    Jerry Kang and Alan Butler