GDPR: Europe’s New Wide-Ranging Data Protection Law and What It Means for Businesses around the Globe

For over twenty years, European data protection laws have been rooted in the Directive 95/46/EC passed in 1995. Its intention was to regulate the processing of personal data within the European Union, with an emphasis on empowering the individual’s right to privacy, while setting up a basis for member states to implement data protection laws in preparation for the upcoming “digital age.” Although the Directive is over two decades old, it was instrumental in the court ruling granting European citizens a “right to be forgotten” in 2014. The decision to rule in favor of such a right was based on the court’s opinion that Google was to be classified as a “data controller,” and therefore was subject to the Directive’s reach, expanding individuals’ control over their personal data to include the right to remove specific search results about them that were not otherwise deemed to be in the public interest.

While the Directive maintains significant importance today, it was enacted into law three years before the founding of Google, before the mass adoption of the Internet, and long before anyone could have predicted that almost two billion people would be connected through a single social network. Things have changed, and European lawmakers have set out to modernize the aging Directive. After four years of negotiations, revisions, and heavy lobbying, the European Parliament finally voted on what is considered to be “the biggest shake up” of data protection laws in decades. The General Data Protection Regulation (GDPR) expands the definition of personal data to include unique online identifiers such as IP addresses and UDIDs in addition to protection over names, addresses, credit card numbers, search histories, biometrics, user generated content, and much more. It also applies extra-territorially to any entity that offers goods and services, paid or free, to EU residents regardless of where the entity is physically located. Any entity that holds or uses European personal data, including businesses, governmental organizations, charities, and schools, will be subject the the new regulations.

Compliance with the GDPR will be mandatory effective May 2018, giving companies less than a year from now to prepare for its extensive set of requirements. Central to the law is a set of rights deemed fundamental to the user. Existing rights such as the right to be forgotten are codified into the regulation, as well as the enhancement and creation of several additional rights:

1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure (RTBF) 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling

One notable addition here is the right to data portability, which requires data controllers to provide all of a user’s personal data to them upon request in a commonly used format, as to ease the process of transferring data to another entity if they so choose. The right to access and right to rectification permit users to access and modify their personal data as they see fit. The GDPR also has a heavy emphasis on the number of notices and disclosures required to be released before collecting or processing personal data. Controllers will likely have to invest in simplified, more transparent user interfaces as they are required to communicate with users “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

This is a law that breaks new ground in terms of its breadth and scope. If a company controls the personal data of so much as a single EU resident, it will have comply with the new regulations by May 25, 2018 or face major penalties irrespective of their location. In fact, this is likely the biggest motivating factor pushing organizations of all sizes toward compliance. Article 83 of