Partner
On April 14 2016, the European Union’s parliament voted for massive reforms to their old and outdated data protection laws. The new laws will come into effect in April 2018, giving the member states two years to make changes to their current data protection laws and prepare for the more rigorous policing system that will be put into effect. The system will streamline data protection and create consistency, eliminating the patchwork of laws the European Union has been using up to this point.
These new changes were first put forward in January 2012 to replace the old laws from 1995. There will be two main components to the new laws: the General Data Protection Regulation (“GDPR”), which will give European Union citizens increased control of their private data; and the Data Protection Directive, which targets the use of private data by European Union police.
While the new laws may not be perfect – for example, DigitalEurope has said the new laws don’t strike the right balance between protecting the right to citizens’ privacy and the ability for European businesses to become more competitive – there could be bigger challenges in store. The European Union and the US continue to negotiate and work out the kinks in their new “Privacy Shield” agreement. If Privacy Shield, the follow-up to the old safe harbor laws, goes into force, it will need further updating as a result of these new laws.
So what do the new laws cover? The GDPR will provide increased information to citizens on how their personal data is being used by companies. Personal data will become more portable, so it can be moved between online services with increased ease. If there’s a serious data breach, the companies and organizations that are victim to these breaches will have to tell the national supervisory bodies so citizens can be made aware and have the ability to make decisions regarding whether or not they leave their data with that company. Overall, the purpose is to require user consent in all areas of how their data can and will be used and for the user to be kept update on any changes to that use.
In addition,these new rules will be supported by stronger enforcement mechanisms. The largest deterrent? Data protection authorities will be able to fine companies violating the new laws up to four percent of their global annual turnover. This could mean billions of Euros in fines for major US Internet companies.
Under the Data Protection Directive, the focus will be on the police and criminal justice elements of the data protection laws. A key area of focus will be the protection of personal information when it’s being used for criminal law enforcement purposes.
The laws may not be perfect, but their streamlined nature and advances being made to improve data protection for European Union citizens are certainly an improvement from what they’ve had in the past. Only time will tell how US companies doing business throughout Europe will react to these even stricter guidelines, and they have the next two years to figure it out.
For more information regarding the new agreement and what it could mean for US and European companies alike, contact Revision Legal’s Internet attorneys through our contact form or by calling 855-473-8474.
Image courtesy of Flickr user safwat sayed
The General Data Protection Regulation (GDPR) entered into force on May 25, 2018, following the two-year implementation period described in the original post above. In the years since, it has proven to be exactly as consequential as predicted — and in some respects more disruptive to US technology companies than the initial commentary anticipated.
The two-component structure — the GDPR covering general data protection, and the Law Enforcement Directive (LED, Directive 2016/680) covering criminal justice data processing — has played out largely as designed. The GDPR has been enforced aggressively by supervisory authorities in Ireland (which has jurisdiction over most major US tech companies due to their EU headquarters in Dublin), France, Germany, and the Netherlands. The LED has received less public attention but has been invoked in debates about data sharing between law enforcement agencies across EU member states.
One of the most important aspects of the GDPR for US companies is its extraterritorial scope under Article 3. The GDPR applies not only to companies established in the EU, but to any company that:
This means that a US-based e-commerce company that ships products to EU customers, or a US SaaS company that provides services to EU businesses, is subject to the GDPR even if it has no employees or servers in Europe. The practical enforcement mechanisms are more limited against purely US companies than against companies with EU establishments, but the legal obligation is real — and EU data protection authorities have increasingly coordinated with US regulators to address cross-border violations.
Under Article 6 of the GDPR, every act of processing personal data must have one of six lawful bases. For most commercial data processing, the relevant bases are:
Since coming into force, the GDPR has produced a consistent pattern of large fines against US technology companies. The largest penalties include:
Beyond headline fines, the GDPR has driven fundamental changes in how companies collect and process personal data across the EU. Cookie consent interfaces, data subject rights request portals, data processing registers, and data protection officer appointments are now standard infrastructure for companies operating in the EU market. The compliance cost has been significant — but companies that built robust GDPR programs early have found that those programs also help with compliance under US state privacy laws like the CCPA.
The right to data portability (Article 20) and the right to erasure (Article 17) have proven to be significant operational obligations. Data portability requires companies to provide data subjects with their personal data in a structured, commonly used, and machine-readable format upon request — and to transmit that data to another controller if technically feasible. This has required companies to build data export tools capable of aggregating and formatting all personal data held about a specific individual.
The right to erasure requires companies to delete personal data when an individual requests it, subject to exceptions for legal obligations, legitimate business needs, and freedom of expression. Operationalizing erasure requires knowing where all copies of personal data are stored — including in backups, third-party processors, and data analytics platforms — and having the technical capability to delete data from each location.
The GDPR is not a compliance checkbox — it is a comprehensive framework that requires ongoing attention as business practices evolve and regulatory guidance develops. US companies that have not yet built a GDPR compliance program face real legal and reputational risk. Revision Legal’s internet privacy attorneys advise businesses on GDPR compliance, data subject rights responses, breach notification, and cross-border transfer mechanisms. Contact us through the form on this page or call 855-473-8474.
A federal court upheld the FCC’s net neutrality rules, requiring ISPs to treat all internet traffic equally. Here’s what the ruling means for consumers and online businesses.
Read more about DC Court Protects Net Neutrality: What It Means
The FTC brought an enforcement action against a company making false representations about potential employers. Here’s what the case teaches about FTC compliance.
Read more about FTC Claim: False Representations to Employers
Legislative and judicial developments have strengthened trade secret protections for businesses. Here’s what those changes mean for protecting your confidential information.
Read more about Stronger Trade Secret Protections in View