Primer on EU General Data Protection Regulation: What You Need to Know

Now that it’s been approved by the EU Parliament’s Civil Liberties Committee, Europe’s General Data Protection Regulation (the “GDPR” or the “Regulation”) is well on its way to replacing the 20-year-old Data Protection Directive (the “Directive”) as the EU’s omnibus data protection law.  Although it won’t officially become law until it receives the approval of the EU Parliament, now is the time to study the most important aspects of the GDPR so you can be prepared for the new regime.

Why replace the Directive?

The technology landscape was very different 20 years ago, when the Directive was first adopted.  Today, with the widespread usage of social media, apps, and the Internet generally, personal data is being shared and transferred across borders more than ever before, and many felt that the Directive was due for an overhaul in light of all these changes.

Moreover, the Directive was limited because it was just that – a directive.  As a directive, it could only set the minimum legal standards the EU member states had to meet in their own data protection laws; the member states otherwise could craft their own laws as they saw fit.  This led to a patchwork of data protection laws across Europe, with some countries implementing more stringent (and occasionally more unique) laws than others.

The GDPR is meant to solve this problem.  As a regulation, as opposed to a mere directive, it directly imposes a uniform data security law regime on all EU members.  There is no need for a member state to enact legislation in order to make the GDPR law within that country; once the GDPR is passed, it will become the law in every member state, thereby harmonizing EU data protection law from A(msterdam) to Z(agreb).

What are some of the major ways the GDPR differs from the Directive?

Are there any important points on which the GDPR is similar to the Directive?

Yes – one of the most significant of these is consent.  Similar to the Directive, the Regulation provides that consent is a valid basis for processing personal data, and in Article 4 defines consent as “freely given, specific, informed and unambiguous” (the Directive defines consent, in Article 2, as “freely given specific and informed”).  Under the Directive, employees generally could not be viewed as freely giving consent to their employers’ processing or cross-border transfer of their personal data given the inherently unbalanced power dynamic in the employer-employee relationship.  As the Regulation’s  language on consent mirrors that of the Directive, we may assume, for now, that the same restrictions on employee consent will remain.

What about the Directive’s data protection principles?  Does the Regulation change those in any way?

One of the key components of the Directive is its list of “Principles Relating to Data Quality” in Article 6.  Under Article 6, member states had to require that that personal data be processed fairly and lawfully; collected for specified and legitimate purposes; adequate, relevant, and not excessive given the purposes for which the data was collected and processed; accurate and kept up to date, where necessary; and kept in a form that allowed for the identification of data subjects for no longer than necessary given the purposes for which the personal data were processed.

Article 5 of the Directive maintains and expands upon these principles, even giving each principle a name – the first principle, for example, is labeled “lawfulness, fairness and transparency.”  It also adds an additional “integrity and confidentiality” principle, which requires that data be “processed in a way that ensures appropriate security of the personal data.”  The Regulation, like the Directive, also states that controllers must demonstrate compliance with these principles.

How does this affect the US-EU Safe Harbor?

As you may recall, the US-EU Safe Harbor program was declared invalid this past October.  While the GDPR does not provide for a new Safe Harbor program, it is important to note that the Directive did not envision a Safe Harbor program either; instead, the Safe Harbor program was implemented five years after the Directive, pursuant to Decision 2000/520/EC.  (It was this Decision that the European Court of Justice invalidated this past October, which in turn essentially ended the Safe Harbor program.)  In other words, just because the GDPR doesn’t specifically provide for a Safe Harbor program doesn’t mean there isn’t a new Safe Harbor program on the horizon.  Indeed, American and European officials have been negotiating the contours of Safe Harbor 2.0 and hope to reach an agreement by January.

In the meantime, Chapter V of the GDPR, which deals with cross-border data transfers, indicates that binding corporate rules (“BCRs”) and standard contractual clauses remain valid tools for transferring personal data outside the EU.  Unlike the Directive, the GDPR even details the basic requirements for BCRs in Article 43; until this point, the BCR requirements had been set out in a series of Working Documents published by the Article 29 Working Party, and those drafting the BCRs had to cross-reference the various documents in order to piece together a truly comprehensive picture of what to include.  Moreover, the GDPR’s approval of mechanisms such as BCRs and standard contractual clauses alleviates the concern that some member states’ data protection authorities will follow Germany’s lead in declaring that these tools offer insufficient protection for personal data transfers to the US.

When would the GDPR become effective?

If approved, the GDPR would not become effective until 2018, giving companies time to ensure compliance with the new law.

© 2024 Proskauer Rose LLP.
National Law Review, Volumess V, Number 358