GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law. It provides individuals with rights over the use of their personal data, and sets out rules that companies and organizations must follow when collecting and using personal data about individuals. GDPR has been in force since 2018.

GDPR has broad consequences for the Internet. Websites and apps often collect large amounts of personal information (for example by using Web trackers to build behavioral profiles of users). A significant amount of economic activity on the Internet—the so-called surveillance economy—is based on this practice, and it harms Internet users. GDPR is partly meant to address this problem.

What’s in GDPR?

The GDPR is a law that sets out rules companies and organizations must follow when processing personal data in order to safeguard people’s fundamental rights and freedoms. It also gives individuals a number of rights over the use of their personal data. GDPR stipulates several important things, including:

• Lawful basis: Companies must have a “lawful basis for processing” personal data (there are six lawful bases that an organization can rely on), including…
  • An individual gives their consent to a specified purpose
  • The processing is necessary for entering into/the performance of a contract with the individual
  • The processing is necessary to comply with a legal obligation
  • The processing is necessary to meet the legitimate interests of an organization
• Transparency and fairness: Companies must provide clear explanations of what personal data they collect, what they will do with it, and what rights people have over their data. Personal data should be used in ways that are fair to individuals.
• Individual Rights: People have the right to know that personal data about them is being processed, and to access or obtain a copy of their personal data. They can also request that companies correct or delete their personal data.
• Procedures around data breaches: Companies that suffer data breaches must notify relevant data protection authorities, as well as individuals that are put at a high risk by the breach.

The GDPR gives data protection authorities (DPAs) a number of enforcement powers. These include imposing fines up to 2% or 4% of global turnover, or 10 million or 20 million euros, whichever is higher, depending on the infringement. DPAs can also temporarily prohibit or permanently prohibit the processing of personal data in serious cases.

One intended effect of GDPR and its penalties is to make it risky for companies to process personal data unlawfully, keep more personal data than they need, or keep data longer than they need to. All of these effects can help reduce the likelihood and severity of data breaches.

Does GDPR have effects outside the European Union?

Although GDPR is an EU law, it has a global reach. Its protections apply to people in EU member states, regardless of their citizenship or where their data is processed. Even companies based outside the EU have obligations under GDPR if they’re processing personal data about individuals in the EU.

Companies must comply with GDPR if they want to do business in the EU, which is one of the largest single markets in the world.

Why is GDPR important?

The GDPR replaces a 1995 EU data protection law. The GDPR builds on this earlier law, strengthening the rights of individuals over their data and the obligations organizations must follow; it also introduces tougher penalties to make organizations more accountable. The GDPR is a human rights-based law, with a key objective being to protect the fundamental rights and freedoms of individuals under the EU Charter of Fundamental Rights; this includes a fundamental right to the “protection of personal data.” The GDPR seeks to achieve a balance between these fundamental rights and freedoms, and the lawful use of individuals’ personal data.

The GDPR reflects both that an individual’s personal data is important to their human dignity, and that their flourishing depends on freedom from harmful uses of their data—the law recognizes the potential danger of allowing companies to handle a person’s data without restriction or oversight. GDPR aims to transfer risks away from individuals and onto companies, incentivizing them to implement good practices that respect and protect the fundamental rights and freedoms of individuals.

GDPR has also inspired regulations in other jurisdictions, such as the California Consumer Privacy Act (CCPA). As of now, there are approximately 160 data protection laws around the world, signaling that the protection and responsible use of personal data matters.

Complimenting the GDPR is the EU ePrivacy Directive (ePD) that has been in force since 2002. The ePD seeks to protect the confidentiality and privacy of people’s communications including their browser behavior, and even data and documents stored on a person’s device. For example, where a website or mobile app wants to access information on your device or wants to store information on your device for purposes that are not strictly necessary for a requested service, then the website or mobile app must ask for an individual’s consent.

What we do on our own devices is extremely personal, intimate, and private. Our devices, especially our mobile devices, have become an extension of our private lives protected under human rights law such as the European Convention on Human Rights and the EU Charter of Fundamental Rights.