Katana VentraIP

General Data Protection Regulation

The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business.[1] It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

"GDPR" redirects here. For the economics term, see Gross domestic product of region.

Title

Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)

European Parliament and Council of the European Union

L119, 4 May 2016, p. 1–88

14 April 2016

25 May 2018

COM/2012/010 final – 2012/0010 (COD)

Data Protection Directive

The European Parliament and Council of the European Union adopted the GDPR on 14 April 2016, to become effective on 25 May 2018. As an EU regulation (instead of a directive), GDPR is directly applicable with force of law on its own without the need of transposition. However, it also provides flexibility for individual member states to modify (derogate from) some of its provisions.


The regulation became a model for many other laws around the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. After leaving the European Union the United Kingdom enacted its "UK GDPR", identical to the GDPR. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.[2]

(a) If the data subject has given consent to the processing of his or her personal data;

(b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;

(c) To comply with a data controller's legal obligations;

(d) To protect the vital interests of a data subject or another individual;

(e) To perform a task in the public interest or in official authority;

(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the (especially in the case of children).[6]

Charter of Fundamental Rights

Personal or household activities

Law enforcement

National security

[6]

These are some cases which are not addressed in the GDPR specifically, thus are treated as exemptions.[40]


When the GDPR was being created, it was strictly created for the regulation of personal data which goes into the hands of companies. What is not covered by the GDPR is non-commercial information or household activities.[41] An example of these household activities may be emails between two high school friends.


Conversely, an entity or more precisely an "enterprise" has to be engaged in "economic activity" to be covered by the GDPR.[b] Economic activity is defined broadly under European Union competition law.[42]

[59]

[60]

[61]

[62]

Some common misconceptions about GDPR include:

Reception[edit]

As per a study conducted by Deloitte in 2018, 92% of companies believe they are able to comply with GDPR in their business practices in the long run.[63]


Companies operating outside of the EU have invested heavily to align their business practices with GDPR. The area of GDPR consent has a number of implications for businesses who record calls as a matter of practice. A typical disclaimer is not considered sufficient to gain assumed consent to record calls. Additionally, when recording has commenced, should the caller withdraw their consent, then the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored.[64]


IT professionals expect that compliance with the GDPR will require additional investment overall: over 80 percent of those surveyed expected GDPR-related spending to be at least US$100,000.[65] The concerns were echoed in a report commissioned by the law firm Baker & McKenzie that found that "around 70 percent of respondents believe that organizations will need to invest additional budget/effort to comply with the consent, data mapping and cross-border data transfer requirements under the GDPR."[66] The total cost for EU companies is estimated at €200 billion while for US companies the estimate is for $41.7 billion.[67] It has been argued that smaller businesses and startup companies might not have the financial resources to adequately comply with the GDPR, unlike the larger international technology firms (such as Facebook and Google) that the regulation is ostensibly meant to target first and foremost.[68][69] A lack of knowledge and understanding of the regulations has also been a concern in the lead-up to its adoption.[70] A counter-argument to this has been that companies were made aware of these changes two years prior to them coming into effect and should have had enough time to prepare.[71]


The regulations, including whether an enterprise must have a data protection officer, have been criticized for potential administrative burden and unclear compliance requirements.[72] Although data minimisation is a requirement, with pseudonymisation being one of the possible means, the regulation provides no guidance on how or what constitutes an effective data de-identification scheme, with a grey area on what would be considered as inadequate pseudonymisation subject to Section 5 enforcement actions.[34][73][74] There is also concern regarding the implementation of the GDPR in blockchain systems, as the transparent and fixed record of blockchain transactions contradicts the very nature of the GDPR.[75] Many media outlets have commented on the introduction of a "right to explanation" of algorithmic decisions,[76][77] but legal scholars have since argued that the existence of such a right is highly unclear without judicial tests and is limited at best.[78][79]


The GDPR has garnered support from businesses who regard it as an opportunity to improve their data management.[80][81] Mark Zuckerberg has also called it a "very positive step for the Internet",[82] and has called for GDPR-style laws to be adopted in the US.[83] Consumer rights groups such as The European Consumer Organisation are among the most vocal proponents of the legislation.[84] Other supporters have attributed its passage to the whistleblower Edward Snowden.[85] Free software advocate Richard Stallman has praised some aspects of the GDPR but called for additional safeguards to prevent technology companies from "manufacturing consent".[86]

25 January 2012: The proposal for the GDPR was released.

[9]

21 October 2013: The (LIBE) had its orientation vote.

European Parliament Committee on Civil Liberties, Justice and Home Affairs

15 December 2015: Negotiations between the , Council and Commission (Formal Trilogue meeting) resulted in a joint proposal.

European Parliament

17 December 2015: The European Parliament's LIBE Committee voted for the negotiations between the three parties.

8 April 2016: Adoption by the Council of the European Union. The only member state voting against was Austria, which argued that the level of data protection in some respects falls short compared to the 1995 directive.[148][149]

[147]

14 April 2016: Adoption by the European Parliament.

[150]

24 May 2016: The regulation entered into force, 20 days after its in the Official Journal of the European Union.[17]

publication

6 May 2018: Data Protection Directive for the police and justice sectors into national legislation applicable from this day.

[151]

25 May 2018: Its provisions became directly applicable in all member states, two years after the regulations enter into force.

[17]

20 July 2018: the GDPR became valid in the (Iceland, Liechtenstein, and Norway),[152] after the EEA Joint Committee and the three countries agreed to follow the regulation.[153]

EEA countries

EU Digital Single Market[edit]

The EU Digital Single Market strategy relates to "digital economy" activities related to businesses and people in the EU.[154] As part of the strategy, the GDPR and the NIS Directive all apply from 25 May 2018. The proposed ePrivacy Regulation was also planned to be applicable from 25 May 2018, but will be delayed for several months.[155] The eIDAS Regulation is also part of the strategy.


In an initial assessment, the European Council has stated that the GDPR should be considered "a prerequisite for the development of future digital policy initiatives".[156]

(CCPA)

California Consumer Privacy Act

(COPPA) (USA)

Children's Online Privacy Protection Act

(LGPD) (Brazil)

General Personal Data Protection Law

(PDPA) (Singapore)

Personal Data Protection Act 2012

(PIPL) (China)

Personal Information Protection Law

(PoPIA) (South Africa)

Protection of Personal Information Act

Similar privacy laws in other countries:


Related EU regulation:


Related concepts:

consolidated text on EUR-Lex

General Data Protection Regulation

initial legal act in the OJEU

General Data Protection Regulation

European Commission

Data protection

EUR-Lex

Procedure 2012/0011/COD

European Union Agency for Fundamental Rights

Handbook on European data protection law