The General Data Protection Regulation (GDPR), which covers the 27 EU member countries, is the global standard of data privacy laws.
Passed into law in 2016 and taking effect in 2018, the GDPR exists to protect the personal data on EU citizens by setting rules for how personal data is collected, processed, stored and transferred.
Due to UK leaving the EU (i.e. Brexit), there are actually now two GDPR laws in Europe. The EU member countries, known as the European Economic Area, has the EEA GDPR. The UK now has its own version of the GDPR called the UK GDPR. In practice, both the EEA GDPR and UK GDPR are actually very similar. In this post, we will be covering the primary EEA GDPR law since it is the foundation of not only the UK GDPR but of many other global data privacy laws.
At its core, the GDPR recognizes that the “protection of natural persons is a fundamental right” and that “everyone has the right to the protection of personal data concerning him or her.”
The recitals of the GDPR are a testament to the fundamental right of human beings have with regard to their personal information and the challenges that people face protecting that right in our modern world.
In the GDPR, individual people are referred to as data subjects while businesses that collect data are referred to as data controllers. Any entity that processes data is called a data processor.
In PDF form, the text of the GDPR law is 88 pages in length and outlines the rights and responsibilities of data subjects, data controllers and data processors. It is quite a dense and detailed law to read.
In this post, we will be exploring some of the key areas of the GDPR as the text of the law is written without the interpretation of third-party sources.
Note that all text that is taken directly from the GDPR law as it is written is denoted in italics and reflects European spellings of certain words.
The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The definition and scope of personal data under the law is deliberately broad and can encompass any number of technologies or collection techniques that can be used to identify a single person such as by tracking cookies and pixels or collecting an email address or IP address. Even taking a browser fingerprint is considered using personal data.
Personally identifiable information (PII) is quite often used for profiling which the GDPR defines as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Under the GDPR, personal data should be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Data Subject: Any EU citizen who is an “identifiable natural person” who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Data Processing is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The GDPR recognizes that the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
Due to the inherent risks involved when data subjects’ personal data is collected, stored and processed, the GDPR requires transparency on the part of data controllers and data processors.
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.
The present state of online advertising has evolved significantly over the years. In its early years, online ads simply used cookies to track how many people had clicked on an ad and how many of those people had converted or performed some action that the advertised had deemed a successful event such as making a purchase on website, downloading a white paper or signing up for a webinar.
Over time, digital advertising technology has evolved with the aid of persistent tracking mechanisms such as cookies and pixels to be able to follow users around to different websites, determine their interests and other information about them, and target them with ads based on that data.
While this has enabled advertising to become more effective in terms of showing ads to people who are in the market for a particular product or service, it has also blurred the lines between what is acceptable advertising and what constitutes a violation of the individual’s right to privacy. One only has to use one’s imagination to conceive of some of the many scenarios where such data collection could be problematic.
The GDPR states that where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
In fact, with regard to marketing, the GDPR is an opt-in law meaning that the user must give permission before any data is collected. This is particularly evident with regard to cookie banners in the European Union which must only set cookies that are strictly necessary to use a website by default. Any other cookies for marketing or analytics (which are not necessary to use a website) must be opted in to by the user and not set by default when a user visits a website.
Under the GDPR, data subjects also have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This means that any personal data that is collected by an organization must be made available to the data subject upon request.
A data subject should also have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.
Additionally, the GDPR asserts that where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
The GDPR also stipulates the right of the data subject to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
In terms of the responsibilities of data controllers, the GDPR focuses heavily on data breaches (i.e. “hacking” events during which personal data may have been compromised by third parties) and what the data controller is to do in such situations.
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.
In addition to security breaches, the GDPR also addresses the responsibilities of the data controller in situations in which the personal data of data subjects is transferred outside the European Union.
Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data.
However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation.
In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
The flows of personal data from one country to another is a particularly challenging legal question that has come up in the past several years. Most of the largest technology companies in the world are based in the United States. Yet, most of these American companies have users all over the world and may collect data from those users that gets transferred back to the United States. Understandably, other countries have become increasingly concerned about this over time.
The current privacy laws in the U.S. are only at the state level in a handful of states and are not nearly as stringent as the GDPR. As of this writing, the U.S. currently does not currently have a national data privacy law although one has been proposed for several years now. Perhaps not surprisingly, tighter regulation has been lobbied against by special interests representing the technology industry who profit from the sale of personal data. So it may take some time before this issue is resolved at the national level in the United States.
In terms of processing data, the GDPR states that any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
The GDPR heavily emphasizes that data must be processed securely and suggests that encryption be employed when processing and storing data:
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
In the GDPR states the principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
With regard to what data can be collected from a data subject, the personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
In other words, collecting data for one purpose, such as for an event registration should not be used for other purposes such as sending a marketing email for a new product.
Additionally, any personal data collected from a data subject should ensure that the period for which the personal data are stored is limited to a strict minimum. Personal data from a data subject should not be stored indefinitely.
In this post, we have examined the critical points of the GDPR by showing them as they are written in the law. In all of the GDPR’s 88 pages, there are a few other aspects of the law such as the governing bodies that we didn’t cover. However, the key right and responsibilities of data subjects, data controllers and data processors have been covered in detail.
The GDPR is the current standard among global data privacy laws and has informed and inspired several other data privacy laws around the world. Understanding its important points goes a long way towards understanding how global data privacy laws will evolve in the future.