General Data Protection Regulation

General Data Protection Regulation. It is a comprehensive data privacy and security law formulated by the European Union. Adopted in 2016 and enforceable from May 2018, it imposes obligations on organizations anywhere that target or collect data related to people in the EU. The regulation strengthens the control individuals have over their personal information and harmonizes privacy laws across Europe.

Overview

The regulation was developed to replace the outdated Data Protection Directive 95/46/EC and address the challenges of the digital age. Its creation was driven by institutions like the European Commission and received final approval from the European Parliament. A primary objective is to give citizens back control of their personal data while simplifying the regulatory environment for international business. The framework establishes a single set of rules directly applicable in all member states.

Key provisions

Core principles include lawfulness, fairness and transparency, purpose limitation, and data minimisation. It mandates that data processing requires a legal basis such as consent or a legitimate interest. A critical requirement is conducting a Data Protection Impact Assessment for high-risk processing activities. The regulation also introduces strict rules for data breach notifications to supervisory authorities and affected individuals. Provisions for Privacy by design and by default require data protection to be integrated into the development of business processes.

Scope and applicability

The territorial scope is extraordinarily broad, applying to all organizations processing the personal data of individuals in the EU, regardless of the organization’s location. This means a company based in San Francisco or Singapore must comply if it offers goods or services to, or monitors the behavior of, EU citizens. It covers both controllers and processors, including cloud service providers like Amazon Web Services. The regulation also governs the transfer of personal data outside the European Economic Area to third countries like the United States.

Rights of the data subject

Individuals are granted several enhanced rights, including the right to access their data and the right to rectification. The right to erasure, often called the "right to be forgotten," allows individuals to have their data deleted under specific circumstances. Other key rights are the right to data portability, enabling data transfer between service providers, and the right to object to processing. Data subjects also have rights related to automated decision-making and profiling.

Compliance and enforcement

Organizations must demonstrate compliance through measures like appointing a Data Protection Officer in certain cases and maintaining detailed records of processing activities. The lead supervisory authority is typically in the member state where the organization has its main establishment, following the one-stop-shop mechanism. National authorities like the Information Commissioner's Office in the United Kingdom and the Commission Nationale de l'Informatique et des Libertés in France have investigative and corrective powers. Non-compliance can result in severe administrative fines issued by bodies such as the European Data Protection Board.

Impact and criticism

The regulation has had a global impact, influencing privacy legislation worldwide, including the California Consumer Privacy Act and Brazil’s Lei Geral de Proteção de Dados. It has forced major changes in the operations of technology giants like Facebook, Google, and Microsoft. Criticisms include the high compliance burden for SMEs and complexities in implementation across different jurisdictions. Some legal scholars and industry groups argue the rules can stifle innovation and create friction for international data flows, particularly with frameworks like the EU–US Privacy Shield being invalidated by the Court of Justice of the European Union. Category:European Union law Category:Data privacy