Print

Overview of the New Data Privacy Regulations in the European Union

On May 25, 2018, the European Union’s (EU) new data protection rules—the General Data Production Regulation (GDPR)—will take effect.1 The GDPR replaces the 1995 Data Protection Directive2 and is designed to harmonize data privacy across Europe. Specifically, the GDPR provides EU internet users with new powers over when and how their “personal data” is collected and processed. Organizations in non-compliance risk significant fines of up to 4 percent of global revenue or €20,000,000, whichever is higher.3 While the GDPR is an EU regulation, in certain cases, the regulations can apply extraterritorially.4 Thus companies that sit outside the borders of the EU cannot afford to ignore these regulations. 

I. What is protected?

The GDPR is aimed at protecting “personal data” of EU internet users. The regulations afford protection to persons regardless of citizenship so long as those individuals are within the EU.5  “Personal data” is any information that can be used to identify a natural person (“data subject”).6 This information includes names, identification numbers, location data, online identifiers or one or more factors specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity.7 To constitute “personal data” under the GDPR, the data alone need not identify the subject.8 It is enough if the personal data, in conjunction with other information, identify an individual.9

While the definition of personal data under the GDPR is largely unchanged from the 1995 Data Protection Directive, the GDPR has added, among other things, “location data” as a type of “personal data”.10 This addition is significant for online entities or businesses, such as advertisers or media companies, that employ cookies. Under the GDPR, cookies are personal data when they can identify an individual via an electronic device.11

II. Who is subject to the GDPR?

The GDPR applies to organizations within the EU that fall into the categories of “controller” or “processor”.12 A “controller” is a person, business or organization that determines the purpose and means for processing personal data.13 A “processor”, on the other hand, is a person, business or organization that processes the personal data on behalf of the “controller”.14 Notably, it does not matter if some or all of the personal data is processed outside of the EU. As long the processing of the personal data is in the context of activities of the “controller” or “processor”, those entities are subject to the GDPR.15

A company can be both a processor and a controller. For instance, Controller A may pay Company B to conduct data analytics on behalf of Controller A. In this situation, Company B is a processor. But if Controller A also stores or processes the data in any manner, it is both a processor and a controller. Under the GDPR, the distinction between controller and processor is important for compliance because, as a rule, the GDPR treats the controller as primarily responsible for obtaining and managing consent.16 Processors have compliance obligations as well, including obligations related to security and processing.17

Unlike the 1995 Data Protection Directive, there are two situations where the GDPR applies to companies with no physical presence in the EU. The GDPR applies where a company “offer[s] goods or services” to a person located in the EU.18 In this situation, the GDPR applies even if there is no financial transaction or payment.19 Having an internet website that is accessible to EU residents, however, is not enough for the regulations to attach.20 Rather, factors such as offering a service in the language or currencies of the EU member state may trigger application of the GDPR.21

In addition, GDPR applies extraterritorially where a company monitors the behavior of data subjects in the EU “as far as their behavior takes place within the Union.” 22 Tracking the internet activity of an EU data subject in order to make decisions regarding predicting preferences or behavior of the data subject likely falls within the GDPR.23 This would include circumstances, for example, where a non-EU company tracks an EU data subject’s internet activity in order to present targeted advertisements to the EU data subject.

III. What rights to data subjects have under the GDPR?

The GDPR requirements are extensive and complex. A few of the key requirements are discussed below.

1) Consent requirement

Before an organization can collect personal data from a data subject, the subject must consent to collection. Consent must be “freely given, specific, informed and unambiguous”.24 While the 1995 Direct Data Directive also required consent25 , the GDPR makes clear that consent must be given “by a statement or by a clear affirmative action” signifying agreement to the processing of personal data.26 An affirmative act must demonstrate the data subject’s acceptance of the proposed processing of personal data.27

Examples of an affirmative act include “ticking a box when visiting an internet website”.28 Implied consent is not sufficient, and the mere visiting of a website does not constitute an affirmative action to have personal data collected or processed. Similarly, statements such as “[b]y using this site, you consent to the use of cookies” are also insufficient because there is no affirmative act of consent.

The GDPR also requires that data subjects have the right to revoke their consent at any time.29 The regulations further require that it “be as easy to withdraw consent as to give consent.”30 Thus, if a check box is employed to obtain consent from a data subject, a check box or interface of similar complexity should be presented to a data subject for withdrawal of consent. A data subject’s withdrawal of consent does not affect the lawfulness of processing of personal data before consent was withdrawn..31

Consent is “informed” only when the data subject is aware of the identity of the controller and the intended purpose of the processing.32 Further, consent is not regarded as “freely given” if the provision of the service to a data user is contingent on consent yet such consent is not necessary for the service.33 Under the GDPR, there is a presumption that consent is not valid unless specific consents are obtained for different processing operations. That is, “[w]hen processing has multiple purposes, consent should be given for all of them.”34

While the 1995 Data Protection Directive did not distinguish between adults and children, the GDPR has special provisions regarding the processing of children’s personal data. For the purposes of the GDPR, children at least 16 years old are treated the same as adults.35 Where the child is below the age of 16, parental or guardian consent is required.36 EU member states may lower the age for parental consent by law, but in no case can that age be lower than 13 years old.37

2) Right to object to targeting marketing

Data subjects have the right to object to processing for marketing purposes.38 This is an absolute right, and once the data subject objects, the data cannot be used or processed for direct marketing purposes.39 The right to object to direct marketing must be explicitly brought to the attention of the data subject in a clear manner that is separate from other information.40

3) Right of access by the data subject

Data subjects have the right to access information regarding their personal data collected by a controller.41 This information includes42 :

  • the type of data being processed;
  • the purpose of the data processing;
  • to whom the data has been or will be disclosed;
  • when known, the length of time the personal data will be processed or stored;
  • the logic involved in any automatic processing of personal data; and
  • known sources of the personal data when a data subject is not the source of the personal data.

When the personal data is transferred to another country or an international organization, the data subject has the right to be informed of the required safeguards relating to the transfer.43 The controller is also required to provide a copy of the personal data undergoing processing.44

4) Right to erasure (‘right to be forgotten’)

In certain circumstances, a data subject has the right to have personal data erased by a controller.45 For instance, if the personal data is no longer necessary for the purposes for which it was collected, the individual has the right to have it erased.46 If the personal data has been unlawfully processed, an individual has the right to have it erased.47 If the data subject withdraws consent, and there is no legal ground for processing the data, the data must be erased.48

5) Right to breach notification

Under the GDPR, breach notification is required in certain circumstances. In particular, controllers are required to communicate personal data breaches to data subjects where the breach is likely to “result in a risk for the rights and freedoms of individuals”.49 Notification should describe the nature of the breach as well as recommendations for the data subject to mitigate the breach.50

Notification of a data breach to data subjects should be made “without undue delay.”51 While “undue delay” is not defined in the GDPR, factors such as the nature of the breach and the potential adverse effects on the data subject should be considered when determining how quickly to notify the data subject.52 Notification procedures “should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.”53 In addition to notification requirements to “data subjects”, notification of a personal data breach must be made to the member state’s “supervisory authority” within 72 hours of a breach.54

Notification of a data breach is not required where the controller has implemented protection measures, such as encryption, that render the data unintelligible.55 In addition, notification is not required if it involves disproportionate effort.56 In this case, a public communication of the data breach may be effective.57

IV. What are the consequences of failure to comply with the GDPR?

The upper limits of potential administrative fines for failure to comply with the GDPR are significant. Processors and controllers can be fined up to €20,000,000 (~$25 million in USD) or up to four percent of the company’s annual “global turnover” (total revenue) for the preceding year, whichever is greater.58 For global companies such as Apple and Google, four percent of global revenue is a substantial amount of money. However, it is important to note that administrative fines depend “on the circumstances of each individual case”.59 According to the GDPR, the imposition and amount of a fine shall depend on consideration of a variety of factors including: 60

  • the nature, gravity and duration of the violation taking into account the number of data subjects affected and the level of damage suffered by them
  • the intentional or negligent character of the violation;
  • the actions taken by the controller or processor to mitigate harm;
  • the degree of responsibility of the controller or processor;
  • previous violations by the controller or processor; and
  • the categories of personal data affected by the violation.

Any fines or corrective actions are assessed or imposed by a “supervisory authority”.61 A “supervisory authority” is an independent public authority established by each member state.62 Each member state can have more than one “supervisory authority”.63 A supervisory authority has the power to issue warnings, reprimands and compliance orders in lieu of or in addition to the imposition of a fine.64

Finally, the GDPR is a baseline for data protection in the EU, and EU member states may introduce further conditions for data processing.65 Global companies and organizations thus need to be aware of country-specific regulations that may go above and beyond the requirements of the GDPR to avoid any country-specific violations.

V. Conclusion

The GDPR is a complex set of requirements aimed at protecting the personal data of EU internet users. Given the risk of non-compliance, companies and organizations cannot afford to ignore the GDPR. Fines for non-compliance, however, are not automatic, and by the terms of the regulations themselves, a company’s good faith effort to comply with the GDPR will be considered in the event of any violation. 


1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (hereinafter “GDPR”).
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) 31. (hereinafter “1995 Data Protection Directive”)
3 GDPR at Art. 83(5).
4 Id. at Art. 3(2).
5 Id. at Art. 3.
6 Id. at Art. 4(1).
7 Id.
8 Id. at Recital 26
9 Id.
10 Id. at Art. 4(1).
11 Id. at Recital 30.
12 Id. at Art. 3(1).
13 Id. at Art. 4(7).
14 Id. at Art. 4(8).
15 Id. at Art. 4(1).
16 Id. at Art. 5(2), Art. 7(1).
17 Id. at Art. 28, Art. 32, Art. 33(2).
18 Id. at Art. 3(2)(a).
19 Id.
20 Id. at Recital 23. The use of a language also used in the controller’s state is not sufficient to establish intent to offer goods and services. Id.  
21 Id.
22 Id. at Art. 3(2)(b).
23 Id. at Recital 24.
24 Id. at Art. 4(11).
25 1995 Data Protection Directive at Art. 7.
26 GDPR at Art. 4(11).
27 Id. at Recital 32. 
28 Id.
29 Id. at Art. 7(3).
30 Id.
31 Id.
32 Id. at Recital 42
33 Id.<
34 Id. at Recital 32.
35 Id. at Art. 8(1). 
36 Id.
37 Id.
38 Id. at Art. 21(2).
39 Id. at Art. 21(3)
40 Id. at Recital 70.
41 Id. at Recital 63.
42 Id. at Art. 15(1).
43 Id. at Art. 15(2), Art. 46.
44 Id. at Art. 15(3).
45 Id. at Art. 17(1).
46 Id. at Art. 17(1)(a).
47 Id. at Art. 17(1)(d).
48 Id. at Art. 17(1)(b).
49 Id. at Art. 34(1).
50 Id. at Recital 86.
51 Id. at Art. 34(1).
52 Id. at Recital 87.
53 Id. at Recital 88.
54 Id. at Art. 33(1).
55 Id. at Art. 34(3)(a).
56 Id. at Art. 34(3)(c).
57 Id.
58 See, e.g., id. at Art. 83(5).
59 Id. at Art. 83(2).
60 Id. at Art. 83(2).
61 Id. at Art. 58.
62 Id. at Art. 4(21).
63 Id. at Art. 51.
64 Id. at Art. 58(2).
65 See, e.g., id. at Art. 6(2), Art. (8), Art.9(4).

The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.