The European Union’s (EU) General Data Protection Regulation (GDPR) - or Regulation (EU) 2016/679 of the European Parliament and of the Council - adopted in 2016, regulates the processing by a company or an organisation of personal data relating to individuals in the EU.
The GDPR was designed to reform an outdated EU framework, in particular the 1995 Data Protection Directive. Because of its global reach and implications for states, businesses, and citizens around the world, the GDPR is a key instrument for strengthening data protection both at the EU level and beyond.
The GDPR aims to reinforce the data protection rights of individuals, facilitate the free flow of personal data in the single market, reduce administrative burden, and harmonise the data protection rules in the EU.
The GDPR covers both personal data (such as name and birthdate) and sensitive personal data (health data, religious and political views, and sexual orientation). The regulation provides individuals with rights related to their data, including a right to access, right to portability, right to information, and the so-called right to be forgotten. It also requires clear and affirmative consent for the processing of private data by the person concerned.
One of the most important features of the GDPR is that it grants regulators the right to fine individuals or organisations in case of non-compliance. When offering their services to customers in the EU, companies outside the EU must abide by the same rules as European companies. Fines for non-compliance can reach up to €20 million, or 4% of their annual turnover.
The GDPR is not only directly relevant to EU countries and companies, but also to many organisations and countries across the world. In Brazil, China, India, Japan, South Korea, and Thailand, legislators and governments have passed new laws, proposed new legislations, or are considering legislative changes closely aligned with the EU’s GDPR. In the USA, current debates around the possible introduction of new data protection rules have put a strong spotlight on the new framework created by the GDPR. For example, Apple’s CEO Tim Cook called on the USA to use it as a model, while Facebook’s CEO Mark Zuckerberg and Google’s CEO Sundar Pichai have called for a comprehensive privacy legislation at the federal level in the US.
The GDPR marked its first anniversary of entry into force in May 2019. The introduction of this legislation has led to a sharp increase in the number of complaints and investigations related to data protection violations in all member states. More than 280 000 cases have been received by EU data protection authorities, while around 144 000 individual complaints were registered.
Despite an acceleration of investigations into data protection violations, the number and size of financial fines have remained quite modest until now. After one year, the GDPR’s enforcement actions have generated around €56 million in penalties, with one single fine (levied against Google by the French CNIL) accounting for nearly 90% of this amount. This rather low level of penalties is partly due to the relative tolerance of national authorities towards the private sector in this first year, as companies were given time to adjust their data protection practices to the new framework. Many Internet giants are currently under investigation for potential violations. For example, Facebook is now facing 11 investigations in Ireland for issues such as large-scale data breaches, legal bases for processing, and transparent presentation to users.