November 8, 2023
KEY TAKEAWAYS:
– GDPR is the EU’s current personal data protection regulation and the global standard in the field of data protection;
– Predecessors of GDPR include the OECD’s 1980 Privacy Guidelines and the 1995 Directive 95/46/EC ;
– GDPR stipulates many concepts and regulations regarding data protection such as the definitions, rights and responsibilities of data subjects, data controllers and data processors;
– EU has been revving up the implementation of GDPR in recent years.
The main document governing data protection in the EU is the General Data Protection Regulation (GDPR) which was introduced in 2016 and went into effect in 2018. GDPR serves to further the protection of individuals’ rights in the digital age and facilitate business amid the rise of the digital single market. This single piece of legislation also unifies the different legal frameworks of EU member nations and reduces the administrative burden. The main regulator for data protection in the EU is the European Data Protection Board (EDPB)- an independent European body, which contributes to the consistent application of data protection rules throughout the EU, and promotes cooperation between the EU’s data protection authorities . Currently, GDPR is the single most progressive piece of personal data protection legislation in the world. Many other countries tried to emulate GDPR’s success such as China with their Personal Information Protection Law which came into effect on 2021.
While the GDPR is the most comprehensive data protection regulation to date, it is not the first of its kind in the EU. The first attempt to tackle the issue was the 1980 OECD’s Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data (“OECD’s Privacy Guidelines”). The guidelines include several important principles that laid the foundation for later regulations such as the GDPR, including: The purpose of data collection should be related to its use; Data should be protected against loss and unauthorized access; Individuals should have the right to know what data is collected about them; Individuals should have the right to access any data related to them; and an individual should be able to challenge the retention of data, or amend or erase data about him or her. The guidelines quickly became the global standard for information practices. However, since they were only guidelines, they were not binding upon member states. The issue of compliance was further exacerbated by the fact that some member countries also passed their own privacy laws with little international unity . While it did not achieve a great of deal of practical success, the OECD Guidelines was a progressive step forward in the fight for data protection.
In 1995, the EU officially adopted the Directive 95/46/EC (“Directive”), also known as the Data Protection Directive. The Directive was largely based on the principles of the OECD’s guidelines, however, unlike the OECD’s Guidelines, the Directive was a piece of binding legislation that member states had to comply with. This was the first concrete step forward for data protection regulations in the EU and helped to resolve the issue of conflicting privacy laws of member states at the time. For a time, the Directive was the standard for data protection, however, no piece of legislation could last forever, especially in the face of the modern technological advances. As such, in 2012, the European Commission submitted a proposal for a comprehensive reform of the EU’s data protection regulations. The goal was to create an EU-wide law that bind all member states which would be even more concrete and unified than the Directive. On December 15. 2015, the European Parliament, Council and Commission agreed on the new data protection rules, dubbed the General Data Protection Regulations or GDPR. The text was finalized on April 8, 2016 and approved by the European Parliament on April 14, 2016 .
GDPR stipulates the general definitions regarding data such as: data controller means any entity which determines the purposes and means of the processing of personal data while data processor is any entity that processes the data on behalf of the controller. The GDPR defines personal data as any information relating to an identified or identifiable natural person by reference of an identifier . GDPR doesn’t clearly define “sensitive data” however there is the special data category which includes racial, ethnic origin, political opinions, religious and philosophical beliefs, genetic, biometric, health or sexual orientation data .
The GPDR also stipulates principles of data gathering and processing which include: Lawfulness, fairness and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality, Accountability.
Data subject would be entitled to receive information from the data controller such as: identity, contact information of controller and representative (when applicable), contact information of data protection officer (when applicable), purpose of data processing and legal basis, the legality of data processing, those who receive the data or whether the data will be transferred to third countries or international organizations . Data subjects are also entitled to request data controllers to allow access, rectify, delete their personal data or to restrict, or object to the processing as well as the right to data portability and right to not be subject to automated decision-making. Furthermore, data subjects are also entitled to withdraw their consent to data processing and to lodge a complaint with the supervisory authority as well as to receive compensation for material and non-material damages .
GDPR also stipulates the responsibilities of the controllers and processors. Controllers under GDPR have the highest level of responsibility, they must actively demonstrate their compliance and be responsible for the compliance of the processors they employ to process data. Data controllers must: Take into account the purpose, nature, context, and scope of any data processing activities; Consider the possibility and probability of any severe risk to the freedoms and rights of any natural persons; Implement appropriate organizational and technical measures and security measures that demonstrate that the data processing activities have been performed in accordance with GDPR; Review and update these measures where necessary . The data processors, on the other hand, only have to implement appropriate organizational and technical measures to meet the guidelines set out by the GDPR when processing personal data under the instructions of the data controllers .
Data transfer to third countries or international organization must either be made based on the European Commission’s decision to recognize that third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection (such transfer shall not require specific authorization) or the controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available .
Infringements of GDPR provisions could be subject to fines of up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher .
The launch of GDPR in 2018 has catapulted the topic of data protection into the forefront of the legal landscape of the world. Overall, GDPR has significantly improved the regulations on consumer data protection and provided a solid framework to enforce such regulations. This has forced both private enterprises and government all over the world to pay closer attention to data privacy. Many countries have enacted their own legal regulations on the matter, most noticeably is the Personal Information Protection Law (PIPL) issued by the Chinese government which went into effect in 2021. On the other hand, while private enterprises were rather complacent when GDPR first went into effect, many companies have been fined in recent years which prompted numerous changes in large and small firms alike to adapt to the new legal landscape, though the impacts have not been proportional .
In recent years, the EU has been handing out fines to enforce GDPR at an unprecedented rate. According to DLA Piper, European Data protection supervisory authorities have issued collectively $1.25 billion in fines in 2021 which was astronomical considering the total fines of the previous year only amounted to $180 million . There is no doubt that the EU is clamping down hard on GDPR violators. These fines serve as a warning to deter others from repeating the same offense.
In all, after more than 04 years of taking effect, GDPR has transformed the global data protection landscape. Its impacts can be felt in both the public and private sectors. While GDPR is the most progressive piece of data protection legislation at the moment, it is also undeniable that the cyber landscape will continue to evolve in unpredictable directions in the future. Amendments and implementations for GDPR are sure to be adopted in order to better suit reality and adapt to the changes to come.
PrivacyCompliance
[1] European Data Protection Board, ‘Who we are’ (EDPB) <https://edpb.europa.eu/about-edpb/about-edpb/who-we-are_en> accessed 11 January 2023.
[2] Jay F. Kramer, Sean B.Hoar, ‘GDPR, PART I: HISTORY OF EUROPEAN DATA PROTECTION LAW’ (Lewis Brisbois) <https://lewisbrisbois.com/assets/uploads/files/GDPR,_Part_I-_History_of_European_Data_Protection_Law.pdf> accessed 1 Februery 2023.
[3] Nate Lord, ‘What is the Data Protection Directive? The Predecessor to the GDPR’ (Digital Guardian, 28 December 2022) <https://digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr> accessed 1 February 2023.
[4] GDPR, art 4.
[5] GDPR, art 9.
[6] GDPR, art 5.
[7] GDPR, art 13.
[8] GDPR, art 16 to 22.
[9] GDPR, art 24.
[10] GDPR, art 28.
[11] GDPR, art 44 to 46.
[12] GDPR, art 83.
[13] Consultancy.uk, ‘ Four years on, companies still struggle with GDPR compliance’ (Consultancy.uk, 15 june 2022) <https://www.consultancy.uk/news/31493/four-years-on-companies-still-struggle-with-gdpr-compliance > accessed 11 January 2023.
[14] Ross McKean, Ewa Kurowska-Tober, Heidi Waem, ‘DLA Piper GDPR fines and data breach survey: January 2022’ (DLA Piper, 18 January 2022) <ttps://www.dlapiper.com/en/asiapacific/insights/publications/2022/1/dla-piper-gdpr-fines-and-data-breach-survey-2022/#:~:text=Data%20protection%20supervisory%20authorities%20across,international%20law%20firm%20DLA%20Piper.> accessed 11 January 2023.
Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]
Learn more
Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]
Learn more
E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]
Learn more