{ subscribe_url: '/share/sites/library-of-congress-blogs/law.php' }

Personal Data Protection and the EU GDPR

Everyone is talking about the European Union‘s (EU) General Data Protection Regulation (GDPR) which takes effect today. Recent news reports about misuse of personal data suggest that rules to protect personal data are essential in today’s interconnected (online) world. But what is the GDPR exactly? And why should you care about an EU law if you live in the United States?

General Overview

In the EU, the protection of personal data and the respect for private life are fundamental rights, codified in the EU Charter and in the Treaty on the Functioning of the European Union (TFEU). The GDPR is the result of a long legislative process with the aim to replace and update current data protection rules and adapt them to the digital age. It covers the processing of all personal data, irrespective of the means of transmission. Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’).” (GDPR, Art. 4 (1)).  Examples of personal data include name, home address, email address, location data, genetic data, health data, or data concerning criminal convictions.

The GDPR is complemented by the ePrivacy Directive which states how data protection principles apply to the electronic communications sector to ensure the confidentiality of communications. A proposal to update and replace the ePrivacy Directive with an ePrivacy Regulation is currently being debated in the European Parliament and the Council and is slated to go into effect in the summer of 2018. Unlike the GDPR, the ePrivacy rules are applicable to personal and non-personal data.

Scope

The GDPR has a broad material and territorial scope. “Processing” personal data is any operation performed on personal data such as collection, recording, organization, structuring, storage, consultation, use, dissemination, or destruction, among others. (GDPR, Art. 4(2)). Examples provided by the European Commission include staff management and payroll administration; access to or consultation of a contacts database containing personal data; sending promotional emails; shredding documents containing personal data; posting or putting a photo of a person on a website; or storing IP addresses or MAC addresses.

One of the reasons why an EU law might affect businesses and organizations in the U.S. is the broad territorial scope of the GDPR. Its rules apply not only to businesses that have an establishment in the EU, but to all businesses, regardless of location, that offer goods and services to consumers located in the EU or that monitor the behavior of EU consumers. Monitoring behavior means tracking an EU resident on the internet as well as the potential subsequent use of personal data processing techniques to profile that person to analyze or predict her or his personal preferences, behaviors, and attitudes.

Atelier data privacy. Photo by Flickr user DJANDYW.COM AKA NOBODY. Dec. 9, 2016. Used under Creative Commons license, https://creativecommons.org/licenses/by/2.0/.

Rights and Principles

Individuals are guaranteed certain rights with regard to their personal data, such as receiving information in clear and plain language on what personal data is stored, why, and how long; the right to access data; the right to object to the processing; the right to correct incorrect data; the right to have data deleted (“right to be forgotten“); the right to move personal data to a different company (data portability); and the right to have a decision based solely on automated processing (an algorithm) be made or reviewed by a natural person instead of a computer, for example the refusal of an online credit application.

Controllers processing personal data must ensure that the processing complies with the principles set out in the GDPR, in particular lawfulness, meaning there needs to be a proper legal basis for the processing. “Controllers” of personal data include search engines and social networking services. Most of the time, data is processed because of consent given by the individual. The notion of consent is given a prominent place in the GDPR. Consent is only valid if it is freely given, specific, informed, and an unambiguous indication of a person’s agreement to the processing by means of a statement or clear affirmative action. (GDPR, Art. 4(11)). That means that silence, pre-ticked boxes (checked by default), or inactivity do no constitute valid consent. Furthermore, withdrawing consent needs to be as easy as giving consent.

Businesses are obligated to notify the national data protection authorities of a data breach without undue delay and additionally notify the individual if there is a high risk that rights and freedoms are violated. Failure to notify such a breach may result in fines, in addition to or instead of other corrective measures such as a warning, reprimand, or the suspension of the processing of personal data. Certain breaches may result in fines of up to €20 million (about US$23.5 million) or 4% of a company’s global turnover. However, the GDPR only sets the maximum amount for a fine. It is up to the national data protection authorities to determine an effective, proportionate, and dissuasive sanction which should be equivalent across the EU.

Transfer of Personal Data Outside the EU

Why else should anyone in the U.S. care about the GDPR? The GDPR contains rules about the transfer of personal data to countries outside of the EU. Such a transfer is only possible if the European Commission determines that the foreign country offers an “adequate level” of data protection. In general, the U.S. data protection rules only fulfill these requirements if the data is transferred within the framework of the EU-U.S. Privacy Shield, an approved data transfer mechanism. Companies that are not self-certified to the Privacy Shield principles can instead use approved standard contractual clauses or adhere to approved binding corporate rules to transfer personal data outside of the EU.

In order to enforce the data protection rules of the GDPR internationally, the GDPR obligates the EU Commission and the national supervisory authorities to develop international cooperation mechanisms, provide international mutual legal assistance, engage relevant stakeholders, and promote the exchange and documentation of personal data legislation. (GDPR, Art. 50).

Further Information

This blog post is intended to provide a brief overview of the GDPR and why it may affect a company or an organization in the U.S. If you would like to find out more about the GDPR and data protection in the EU as well as in the EU Member States France, Germany, Italy, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom, and how it compares to the data protection laws in Australia, Canada, Israel, and Japan, I suggest consulting the recently published Law Library of Congress report Online Privacy Law (2017 Update). The report updates two earlier reports from 2012 that reviewed the right to personal data protection and the right to privacy on the web in the EU and in selected countries.

3 Comments

  1. James Hulme
    May 25, 2018 at 12:01 pm

    European Union countries need to implement this data privacy regulation in order to protect both personal and corporate data.

  2. Felix Njofie
    March 26, 2020 at 3:18 pm

    Dear Sir Madam
    Can any citizen of any country by human right laws protection art has the right to request information regard to data protection art if you suspect that you have been unlawful watch or monitor by government. Thanks for your time and assistance.

Add a Comment

This blog is governed by the general rules of respectful civil discourse. You are fully responsible for everything that you post. The content of all comments is released into the public domain unless clearly stated otherwise. The Library of Congress does not control the content posted. Nevertheless, the Library of Congress may monitor any user-generated content as it chooses and reserves the right to remove content for any reason whatever, without consent. Gratuitous links to sites are viewed as spam and may result in removed comments. We further reserve the right, in our sole discretion, to remove a user's privilege to post content on the Library site. Read our Comment and Posting Policy.

Required fields are indicated with an * asterisk.