The European Union general data protection regulation: what it is and what it means (original) (raw)

Challenges of General Data Protection Regulation (GDPR)

Proceedings of the International Scientific Conference - Sinteza 2018, 2018

The aim of this paper is The General Data Protection Regulation (GDPR), an overview of current achievements in this domain within the framework of existing knowledge in literature, international standards and the best practice as far as the GDPR is concerned. This paper is particularly dedicated to GDPR who harmonizes data protection requirements across all 28 Member States, introduces new rights for data subjects, and applies extraterritorially to any organization controlling or processing data on natural persons in the European Union.

GDPR and challenges of personal data protection

The European Journal of Applied Economics

This paper discusses the challenges of implementing GDPR regulation in the EU and the Republic of Serbia. The regulations governing the issue of personal data protection are outlined. Emphasis is placed on reconciling this issue in the Republic of Serbia with EU legislation. The aim of this paper is to look at GDPR regulations from several standpoints of the business of taxpayers. It is necessary to include all segments of a business entity in the implementation of this regulation, as well as bodies at the national level. It is necessary to adopt by-laws in order to fully implement the Law on Personal Data Protection in the Republic of Serbia.

European privacy legislation: a legal and economic analysis

2020

As of July 2020, the General Data Protection Regulation 2016/679 (GDPR) has been in force for more than two years. Together with the e-Privacy Directive 2002/58/EC, it applies to millions of European businesses across all sectors. Both pieces of legislation have been challenging to implement for industry stakeholders; A review of their reports serves as the basis of a qualitative legal analysis of the GDPR, the E-Privacy Directive and the draft of the coming E-Privacy Regulation that seeks to identify which provisions have turned out to be most difficult for European Businesses to implement. This legal dissection will be accompanied by a quantitative assessment of the administrative fines that have been issued by data protection authorities throughout the Union. The aim is to locate problems within the legislature and to provide recommendations for how to solve them.

Informational privacy post GDPR – end of the road or the start of a long journey?

The Right to Privacy Revisited, 2021

The General Data Protection Regulation (GDPR) is a far-reaching legal instrument that regulates the collection and use of personal data by private actors, individuals and by governments. In this respect, the GDPR is indeed a key legal instrument for protecting informational privacy. This article will analyse and discuss the impact of the GDPR on the right to privacy particularly in the context of data protection. It also explores whether the GDPR in itself is adequate to ensure the right to privacy in the European Union (EU) and whether the protection provided by the GDPR can be supplemented by other means. The article finds that while the GDPR is a significant step in the right direction to protect informational privacy, it is certainly not the end of the journey. It argues that on its own, the GDPR cannot fully address the imbalance of power between data subjects and data controllers. Hence, it needs to be complemented by other regulatory tools such as the ePrivacy Regulation, EU competition law and Consumer Protection rules. Furthermore, some provisions in the GDPR must be revisited in the near future to ensure they do not become obsolete.

Introduction to the Symposium on the GDPR and International Law

AJIL Unbound, 2020

It is rare that a lengthy and detailed piece of legislation adopted in one jurisdiction becomes not only a law with powerful impact across multiple jurisdictions and continents, but also an acronym that trips readily off the tongue of laypeople and lawyers alike around the world. Yet this has been the fate of the European Union's General Data Protection Regulation, now commonly known as the GDPR, since its coming into force in 2018. Perhaps the Helms-Burton Act came somewhat close in its global impact when the United States adopted the extensive anti-Cuba sanctions regime in 1996. But Helms-Burton was a deliberately globally-targeted sanctions regime that sought to pressure foreign companies trading in or with Cuba into ceasing those activities, and it was adopted as an instrument of U.S. foreign policy. By comparison, the GDPR at first glance appears to be a domestically-focused piece of legislation intended to strengthen data protection and privacy standards within the EU, and to make Europe, in the terms used by the European Commission, "fit for the digital age." Describing itself as a measure intended to harmonize data privacy laws across Europe's single market, the GDPR-which in principle requires no transposition on the part of EU member states in order to have immediate and binding legal effect within those states-applies to any organization operating within the EU or offering goods or services to customers or businesses in the EU. The legislation imposes a demanding set of regulatory standards on those who control or process personal data, in relation to the purposes, uses, handling, and storage of such data. Breaches of these standards can result in the imposition of hefty fines. While the overriding purpose of the regulation may be the protection of personal privacy, the GDPR addresses multiple aspects of data governance that are relevant to businesses worldwide. The key to the way in which the GDPR goes far beyond being a domestic EU-focused legislative measure is in its application to any business or organization anywhere in the world that offers goods or services to persons within the EU, or that monitors the behavior of individuals in the EU. This has meant that the numerous and detailed regulatory standards imposed on companies and organizations-which include the need to obtain the affirmative consent of those whose data they gather or hold; the requirement to inform; the obligation to rectify and to erase data; and restrictions on transfers of data outside the EU-have a very extensive global reach indeed. As Anu Bradford has convincingly argued, at a time when the EU has emerged from a series of economic and political crises as a weakened international political actor, its global regulatory influence and power by comparison has, if anything, increased. 1 While some have welcomed the EU's digital leadership in setting strong data protection and privacy standards, others have been critical of the reach and implications of the GDPR, with the Heritage Foundation and others accusing the EU of digital imperialism. 2 One evident consequence of the global impact of the GDPR is that many of its requirements are in tension with, if not directly in conflict with, other regimes and

Personal Data Protection and the EU's endeavor towards adequate protection

The word "information" has been regarded in many issues, but it fits a specific phenomenon better than any words, and this is the "information society". In this society we live in, interconnectedness gains so many levels through fiber-optic cables, wireless spheres, expanding social media, enlarging investment on software business etc. and innovation happens in a volatile respect. Hence, what we see is an immense flow of data between all kinds of actors, and the total amount of information doubles triples each year, as the number of actors increase day-by-day. Within this realm, the question of "who controls the information?" arises, because we know that ipsa scientia potestas est (knowledge itself is power). Well, the answer is simple: potentially, everyone. Because the progressing technology has vulnerabilities which enable others to breach into your calls, desktop files, social media activities etc. Further, surveillance under the name of "national security" is an essential issue since 9/11, and has become a world-wide trend for every government. Besides, commercial use of data is no secret anymore; Google, Facebook and all other Internet giants use personal data for several reasons, such as personalized advertisement and selling it to third parties. Therefore one may claim that data is the new form of exchange, or is the new currency.

AN ANALYSIS OF THE GENERAL DATA PROTECTION REGULATION (EU) 2016 679.pdf

On the 27th April 2016, the REGULATION (EU) 2016/679 (GDPR) was adopted by the Member States of the EU with the plan of achieving harmonization and uniformity in the applicable data protection rules in Member States. This Regulation did introduce new provisions into the body of laws on data protection and this could be to some extent knotty owing to their relative novelty. This paper carries out an analysis of key provisions of the said Regulation with the aim of examining, as much as possible, the possible expectations under the said regulation.

Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies

American Business Law Journal, 2019

(NB: The file on this site is a post-print, prior to final changes and not in the final format. The final version of this article is available at https://onlinelibrary.wiley.com/doi/abs/10.1111/ablj.12139.) The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.

The challenges of implementing General Data Protection Law (GDPR)

STANDARDIZATION, PROTYPES AND QUALITY: A MEANS OF BALKAN COUNTRIES’ COLLABORATION, 2018

The vast majority and complexity of big data being processed by the companies, imposes a need for a common guideline among all the data stakeholders regarding the personal data controlling and processing. The European General Data Protection Regulation (GDPR) imposes more restrictions towards data handling and gives the data subjects more freedom on how to share their personal data. The complexity of such law, to be implemented towards all the companies which hold European citizen data has a lot of grey areas. In this article we will see what changes are needed between data subjects, data controllers and data processors to be fully GDPR compliant. The aim is to see how GDPR really fits with recent technology processes which are in continuous evolvement.

The 'User-Centric' and 'Tailor-Made' Approach of the GDPR Through the Principles It Lays down

The Italian Law Journal, 2019

The European approach to online privacy and personal data concerns in the contemporary digital age appears to have embraced a 'user-centric' approach, inspired by values of 'personalism' and human dignity, regardless of the growing commercial value commonly given to personal data. These two sides of the same coin have been taken into account by the GDPR. On the one hand, it seems to outline a system of protection of data subjects that presents certain similarities and connections with consumer protection directives, especially as regards the transparency principle and the aim to provide individuals with 'effective' protection, enforceable rights and awareness-raising activities. On the other hand, a radical shift in the data protection policies of big online companies and many other service providers is required by the implementation of the set of mandatory principles and obligations stated by chapter IV of the GDPR, while the notice-and-consent paradigm is now quite remote. In particular, data minimisation, confidentiality, integrity, data protection by design and by default, as well as accountability and scalability principles require a model of approaching the new challenges brought about by data protection that should be 'contextual' and 'tailor-made'. This means that the appropriate measures to be adopted by controllers and processors must consider the specific circumstances of each individual case, in accordance with a proportionality and reasonableness test on the extent of risks to the rights and freedoms at stake. The new legal framework provided by the GDPR and Convention 108+ has weakened the role of national laws on personal data protection but has also posed the challenge of providing a uniform legal frame, at the European Union level, as well as of strengthening the harmonisation process among countries that are currently taking different approaches to data protection at a global level.