On 25 May, the General Data Protection Regulation (GDPR) entered into force in the EU& 28 member states. The recent Facebook Cambridge Analytica scandal made us realize how important strong data protection rules are for the society as a whole and for the proper functioning of the democratic process. These and other developments have shown that the protection of privacy, as a central individual right and a democratic imperative, as well as an economic necessity, is crucial. In this regard the General Data Protection Regulation is the European Union’s response to these challenges and opportunities. It seeks to create a virtuous circle between better protection of privacy as a fundamental right, enhanced confidence of consumers in how the privacy and security of their data is guaranteed, in particular, the online world, and economic growth.
In essence, this law changes the rules for companies and organizations that collect, store or process large amounts of information on residents, requiring more openness about what data they have and who they share it with. This Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. The regulation is an essential step to strengthen citizens; fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens. For instance, instead of having to deal with 28 different data protection laws and 28 different regulators, one set of rules will apply and will be interpreted in a uniform way throughout the continent. In summary, the GDPR applies to any business that processes personal data by automated or manual processing. Companies based outside the EU must also apply the same rules as European companies when offering their goods or services to individuals in the EU.
The regulation focuses on:
Reinforcing individual’s rights;
Strengthening the EU internal market;
Ensuring stronger enforcement of the rules;
Streamlining international transfers of personal data and;
Setting global data protection standards
The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
Nine out of ten Europeans have expressed concern about mobile apps collecting their data without their consent, and 7 out of 10 worry about the potential use that companies may make of the information disclosed. The new rules address these concerns through:
– “A right to be forgotten” – When an individual no longer wants his/her data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted.
– Easier access to data – Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
– The right to know when one’s data has been hacked – Companies and organizations must notify the national supervisory authority of data breaches which put individuals at risk an to communicate to the data subject all high-risk breaches as soon as possible.
– Data protection by design and by default – ‘Data protection by design’ and Data protection by default’ are now essential elements in the EU protection rules.
Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the
norm – for example on social networks and mobile apps.
Many aspects of EU data protection law introduced by the GDPR are particularly relevant for foreign operators. Data protection rules will be harmonized not only in the book but also in the way they are interpreted and enforced by a network of national data protection authorities (“one-stop shop” and consistency mechanism). Prior notification and authorization requirements will be abolished as the system moves from an approach based on ex-ante controls to one relying on the principle of accountability. Foreign business operators will benefit from a significantly more unified and simplified regulatory environment. While not applying to all foreign businesses, the companies established in the EU or specifically targeting the EU market by monitoring EU consumers or by offering goods or services in a targeted way will have to comply with the GDPR. The GDPR also strengthens the role of national data protection authorities and harmonizes enforcement tools, which includes fines. In order to be credible and dissuasive, fines of up to €10 million or 2% of global turnover are foreseen for failures to
comply. However, these are only maximum amounts and will be imposed after careful examination of the specific circumstances of each case on the basis of 11 different factors listed in the GDPR (gravity, number of individuals affected; duration, the intentional or negligent character of the violation).
The new data protection regulation implies economic, political and diplomatic impacts. Third country authorities and economic operators should comply with GDPR if they offer goods and services to EU residents. An organization or company could request the advice of the EU to better understand how the GDPR applies. Many third countries have ambitions to follow the model of the EU, recognizing that strong privacy rules are in demand in a globalized world. Countries like Korea and Japan, for example, have already asked for an adequacy decision by the European Commission. Others such as Brazil and India are considering adopting new data protection rules, resembling the principles laid down in the GDPR that may influence the approach to personal data protection in partner countries and regions to be compatible with the EU framework.
Read more here data-protection-factsheet-changes_en
Contact point: JUST-GDPR-INFO-REQUESTS@ec.europa.eu and data-protection@eeas.europa.eu
