Overview of GDPR: Difference between revisions

From GDPRhub
m (Reverted edits by Sfl (talk) to last revision by 10.90.129.3)
Tag: Rollback
 
(13 intermediate revisions by 2 users not shown)
Line 183: Line 183:
</div>
</div>
|}
|}
== Preface ==
''You can help us fill this section!''


== Intro and background ==
== Intro and background ==
The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR).
The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR).


=== Technical developments ===
=== Technical development made large-scale information gathering feasible ===
xxx


Given new technical possibilities of automated data processing, information is easy to generate, process and keep. For the first time, there was a realistic option to gather even rather trivial information in a fast, efficient and targeted manner and connect such information to generate a detailed picture on an individual. When reading many of the initial fears, it becomes painfully obvious that many of the rather futuristic predictions became true decades later.  
Given technical possibilities of automated data processing starting in the 1970ies, information about individuals was increasingly easy to generate, process and keep. For the first time, there was a realistic option to gather even rather trivial information in a fast, efficient and targeted manner and connect such information to generate a detailed picture on an individual. Technical developments have also ended traditional economic and practical limitations of information gathering and sharing in the analogue age, which further amplify the issue. <blockquote><u>Example:</u> Storage space used to be so expensive that irrelevant data was instantly deleted, by now storage is often cheaper than implementing proper deletion routines. It is therefore economically more feasible to not delete old data. The principle of data minimization in [[Article 5 GDPR#.28c.29 Data Minimisation|Article 5(1)(c) GDPR]] has foreseen this technological development and implements a legal requirement to delete irrelevant data. </blockquote>While information was always available and traded, the technical and factual options have dramatically increased since the mid of the 20th century. Information did not have to be kept in archives, send in postal mail and analyses by individuals, but could increasingly be processed automatically - dramatically bringing down costs for the use of personal data.  


Digital information did not just become omnipresent, yet often intangible and invisible, but also lead to enormous wealth and power in the hands of anyone that controls the processing of personal data. Power over such data allows to manipulate individuals, no matter if this concerns individual purchase decisions, or .  
When reading about the initial fears in the 20th century, it becomes obvious that many of the rather futuristic predictions became true decades later, as technology moved on.  


After all even relatively trivial uses of personal data, such as advertisement data can be used to trigger purchases that a data subject would not planned, enriching the data holder.  
=== Information is power ===
Since ancient times information was power. Knowledge about the interests, intentions and weak points of another person has always been used to get the upper hand in transactions, relationships or even wars.  


The information age is often not overcoming traditional information imbalances, but large scale data processing may even increase them. If for example airline would be able to gather data to find out a passenger is desperate to fly to a certain place at a certain time, it could likely double prices. At the same time, the passenger usually does not know that the flight is hardly booked and the airline is equally desperate to sell a seat. Such information imbalance can be overcome if a controller may not use the personal data of a passenger in such ways.  
Digital information did not just become omnipresent, yet often intangible and invisible, but also lead to enormous power in the hands of anyone that controls the processing of personal data. At the core, the information age now allows certain government and private entities to gather unthinkable amounts of information about other people and entities. Information about a person usually allows to manipulate individual decision making, no matter if this concerns individual purchase decisions, decisions by others about work, life and love or collective political decision making. Even rather trivial personal data, such as personal purchasing preferences can be used by advertisers to trigger transactions that a consumer would otherwise not have engaged in - thereby enriching a business. <blockquote><u>Example:</u> If an airline would be able to gather data to find out a passenger is desperate to fly to a certain place at a certain time (e.g. because he must attend a wedding), it could likely double prices. At the same time, the passenger usually would not know that the flight is hardly booked and the airline is desperate to sell seats and will put on a discount the next days. </blockquote>Such information imbalance can be overcome if a controller may not use the personal data of a passenger in certain ways, or information is simply not available to the controller.  


These developments have overcome traditional economic and practical limitations of information gathering in the analogue age. <blockquote><u>Example:</u> Storage space used to be so expensive that irrelevant data was instantly deleted, by now storage is often cheaper than implementing proper deletion routines. It is therefore economically more feasible to not delete old data. The principle of data minimization in [[Article 5 GDPR#.28c.29 Data Minimisation|Article 5(1)(c) GDPR]] has foreseen this technological development and implements a legal requirement to delete data.</blockquote>
=== Cultural elements of the right privacy ===
=== Reaction by the legislators ===
In addition to rational elements, such as information imbalances, there are also cultural and psychological reasons that lead to the protection of personal data. Topics like personal finances, health, relationships, nudity or sexuality are in many cultures seen as private, even when there is not necessarily a logical reason for these feelings. For historic reasons, some cultures have diverging feelings about government surveillance, the power of large commercial actors and alike. These cultural and historic backgrounds have further influenced the need to regulate the matter.  
The first explicit data protection laws can be traced back to the 1970 data protection act in the German state of Hessen or the US Privacy Act of 1974. At the core, the information age allows certain government and private entities to gather massive amounts of information about other people and entities.
== Legal History ==
While the history of the right to privacy and now the right to data protection could itself fill books, the following short overview may be useful to understand the broader picture and the background of the GDPR:
=== Initial national laws and internationalization ===
The first explicit data protection laws can be traced back to the 1970 data protection act in the German state of Hessen, the US Privacy Act of 1974 or the broad French 1978 Data Protection Act.  


While political reactions may be different based on culture and history, within the European Member States, but also on a global scale, there is clearly an overall desire to increase protections of personal data globally.<ref>See XXX</ref> The fact that these desires are not always be turned into laws seems to be based on the lack of democratic participation in many areas of the world, or political gridlock in developed democracies. While there is a common narrative that Europeans would care more about the protection of their personal data, there is clear empirical evidence that there are majorities for such protections globally.  
Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, the need to internationalize rules and protection quickly became apparent. Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain geographic area, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "''Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data''".  
=== Directive 95/46/EC and its influence on the GDPR ===
Realizing the need for an EU framework to ensure the free flow of personal data within the European common market, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.  


The European Union has overcome such gridlock and had broad political support when passing the GDPR. In fact XX of XX Members of the European Parliament and all but one EU Member State (who has sought higher protections) have voted for the GDPR   
Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws had to follow and be interpreted in the line with Directive 95/46/EC, but were still transposed into national laws, subject to national developments, case law and national additions.  


=== International aspects of data protection laws ===
Contrary to Directive 95/46/EC, the GDPR is a Regulation and therefore directly applicable and must be interpreted solely be reference to EU law, not national traditions. At the same time, the basic principles of Directive 95/46/EC stayed the same in the GDPR.  
Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain sphere, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "''Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data''".
== Legal History ==
While the history of the right to privacy and now the right to data protection could itself fill books, the following short overview may be useful to understand the broader picture and the background of the GDPR:
=== Directive 95/46/EC ===
Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.  


The basic principles of Directive 95/46/EC stayed the same in the GDPR. Consequently previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR.
In practice the large convergence between Directive 95/46/EC and the GDPR meant that previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR. Many issues or problems are the same under the GDPR and existing case law can consequently be a useful a guide when facing the same questions under the GDR. However experts, lawyers, authorities and courts also have a tendency to hold on to more than 20 years of national data protection law and tradition that are not supported by the GDPR anymore. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR, when there is no room under EU law to add such provisions or national interpretations. The strong wish to hold on to existing national approaches is even present in part of the national legal literature on the GDPR.


At the same time, Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws hat to be interpreted in the line with Directive 95/46/EC, but were still subject to national developments, case law and national additions. Contrary to Directive 95/46/EC, the GDPR is directly applicable and must therefore be interpreted solely be reference to EU law, not national traditions.
These nationalistic approaches will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left


Despite the fact that EU law must be interpreted without reference to national law, these national traditions are still often present today, as experts, lawyers, authorities and courts have a tendency to hold on to more than 20 years of national data protection law. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR. The strong wish to hold on to existing national approaches is even present in party of the legal literature on the GDPR.  
=== GDPR ===
The European Union does not have a constitution, but the fundamental principles of the Union are enshrined in so-called "treaty law". On 1 December 2009 the Lisbon Treaty came into force. Article 16(2) TFEU provided for a new legal basis in Union law to pass comprehensive data protection legislation. In addition, the rapid development of an international market for digital services and products also required to replace the many national laws and regulations on data protection with one uniform European framework, applicable in the entire European Economic Area.


The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left
=== Proposal by the European Commission ===
 
=== GDPR Proposal by the European Commission ===
On 25.1.2012 the European Commission has published its proposal for the GDPR,<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN</ref> together with a proposal for a directive on the use of personal data in the area of law enforcement.  
On 25.1.2012 the European Commission has published its proposal for the GDPR,<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN</ref> together with a proposal for a directive on the use of personal data in the area of law enforcement.  


==== Core elements from Directive 95/46/EC ====
==== Core elements from Directive 95/46/EC ====
The material privacy protections of the GDPR proposal were largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution.
The material privacy protections of the GDPR proposal were largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution.  


In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,<ref>https://rm.coe.int/1680078b37</ref> which was passed in 1981 and was signed by 57 countries, including non-European countries.  
In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,<ref>https://rm.coe.int/1680078b37</ref> which was passed in 1981 and was signed by 57 countries, including non-European countries.


==== Technologically neutral, principle based approach ====
==== Technologically neutral, principle based approach ====
The GDPR follows a technologically neutral approach, which is based on principles, not descriptive rules for each type of processing or each new technology. This is for example in strong contrast with the US approach of sectorial privacy laws that only apply to certain processing situations (like health data, credit ranking or video rentals), but not to many modern processing operations. <blockquote><u>Example:</u> Murder is usually defined as intentionally killing another person. It does not matter if a murder uses a rock or an electric car to run over a victim, it is still murder. A technology neural criminal law only regulates the relevant principle, independent of the method used.</blockquote>The technologically neutral approach ensures that the GDPR is not outdated (contrary to many populist comments) despite following core principles are about 40 years old.  
The GDPR follows a technologically neutral approach, which is based on principles, not descriptive rules for each type of processing or each new technology. This is for example in strong contrast with the US approach of sectorial privacy laws that only apply to certain processing situations (like health data, credit ranking or video rentals), but not to many modern processing operations. <blockquote><u>Example:</u> Murder is usually defined as intentionally killing another person. It does not matter if a murderer uses a rock or an electric car to run over a victim, it is still murder. A technology neural criminal law only regulates the relevant principle, independent of the method used.</blockquote>The technologically neutral approach ensures that the GDPR is not outdated (contrary to many populist comments) despite following core principles are about 40 years old.  


The technologically neutral approach does however require that abstract principles are fully understood and properly applied to ever changing technology. Many people struggle with this approach in practice, as complex facts and abstract principles often require multiple logical steps to come to a correct outcome.
The technologically neutral approach does however require that abstract principles are fully understood and properly applied to ever changing technology. Many people struggle with this approach in practice, as complex facts and abstract principles often require multiple logical steps to come to a correct conclusion.


==== The switch from a Directive to a single European Regulation ====
==== The switch from a Directive to a single European Regulation ====
Switching from a directive to a single European regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into 30+ national laws, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. Initially Member States were partly opposed to this approach.
Switching from a directive to a single European regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into more than 30 national laws, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. Initially Member States were partly opposed to this approach.


In the initial proposal, the European Commission foresaw more than 25 options to further specify the GDPR via delegated acts. This would have allowed the Commission to further legislate elements of the GDPR unilaterally and was met with enormous criticism. Most of these clauses have been removed in the legislative process, without   
In the initial proposal, the European Commission foresaw more than 25 options to further specify the GDPR via delegated acts. This would have allowed the Commission to further legislate elements of the GDPR unilaterally and was met with enormous criticism. Most of these clauses have been removed in the legislative process, without necessarily adding needed specifications via other instruments.    


The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. The cooperation in the European Data Protection Board (which replaced the previous Article 29 group) was meant to ensure that certain Member States would not undermine the GDPR by not properly applying or enforcing the law.  
The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. The cooperation in the European Data Protection Board (which replaced the previous Article 29 group) was meant to ensure that certain Member States would not undermine the GDPR by not properly applying or enforcing the law.  


Considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the European Commission.
On the enforcement side, considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the European Commission as major improvement.


However, the GDPR proposal was not fully consistent when unifying the European data protection landscape, as it was necessary to refer to Member State law (for example when personal data had to be stored in accordance with national tax, safety or contract law). In many cases the GDPR even provided for opening clauses on material data protection law, allowing to regulate certain sectors and issues in national law (such as employee data. freedom of speech or research).  
However, the GDPR proposal was not fully consistent when unifying the European data protection landscape, as it was necessary to refer to Member State law (for example when personal data had to be stored in accordance with national tax, safety or contract law). In many cases the GDPR even provided for opening clauses on material data protection law, allowing to regulate certain sectors and issues in national law (such as employee data, freedom of speech or research).  


Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities. Unifying these matters would have meant that the GDPR would have required massive changes in national legal systems, which would like have been rejected by the Member States.
Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities. Unifying these matters would have meant that the GDPR would have required massive changes in national legal systems, which would like have been rejected by the Member States.


In practice this leads to situations where the core elements of European data protection law are found in the GDPR, but in many cases there is substantial interaction with national material and procedural laws, which regulate the functioning of the supervisory authorities, the budget, national exceptions or even regulate subject matters that are in fact already regulated in the GDPR.
In practice this leads to situations where all the core elements of European data protection law are found in the GDPR, but in some cases there is substantial interaction with national material and procedural laws, which regulate national exceptions, the functioning of supervisory authorities or even regulate subject matters that are in fact already regulated in the GDPR.


==== GDPR as a raw data law ====
==== GDPR as a raw data law ====
Line 257: Line 253:
Attempts to regulate the way personal data is processed via algorithms, artificial intelligence and alike were not included in the GDPR proposal, even when traces of such thoughts can be found in some elements of the GDPR and some of the general principles can be used to regulate issues that may come from the use of problematic ways of processing information.
Attempts to regulate the way personal data is processed via algorithms, artificial intelligence and alike were not included in the GDPR proposal, even when traces of such thoughts can be found in some elements of the GDPR and some of the general principles can be used to regulate issues that may come from the use of problematic ways of processing information.


There are ongoing debated to regulate the "black box" in separate legal instruments.
There are ongoing debated to regulate the "black box" in separate legal instruments and the European Union has passed additional regulations, such as the Digital Services Act or the Digital Markets Act. An additional Artificial Intelligence Act is also in the making. For practitioners, this means that knowledge of these other acts may also be relevant in many cases.


==== The fate of Commission buzzwords ====
==== The fate of Commission buzzwords ====
In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail. While these buzzwords were highlighted a lot during the initial phases of the debates, reality has shown that they have not translated to material changes in practice.
In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail. While these buzzwords were highlighted a lot during the initial phases of the debates, reality has shown that they have not translated to material changes in practice.
=== Lobbying influence ===
The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back, the input from industry lobbyists does not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps and unclear wording in the final text.
While large controllers with large legal departments may use these ambiguities and gaps today in an attempt to escape the GDPR, it seems that most normal controllers suffer from these approaches. Some years into the application of the GDPR, it became apparent that most small and medium businesses just want to ensure compliance, without the need for expensive legal council or expert advice. This is often made harder by rather vague concepts and legislation.


=== Position of the European Parliament ===
=== Position of the European Parliament ===
The Members of the European Parliament have made about 4.000 amendments. As each Member of the European Parliament was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions, some amendments were copied directly from lobby papers that were sent to the Members of Parliament.
The Members of the European Parliament have proposed about 4.000 amendments to the GDPR. As each Member of the European Parliament was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions, some amendments were copied directly from lobby papers that were sent to the Members of Parliament.


In the European Parliament a "rapporteur" is in charge of finding a compromise among the amendments. In the case of the GDPR the rapporteur was Jan Albrecht of the German Green party. He had to negotiate this compromise with so-called "shadow rapporteurs" by each other European Parliament party. Generally the Greens, Social Democrats and Left Party were pushing for a higher level of protection, while the European People's Party was largely taking positions in the interest of the industry. The Liberals were usually split between economic liberal and social liberal positions.
In the European Parliament a "rapporteur" is in charge of finding a compromise among the amendments. In the case of the GDPR the rapporteur was Jan Albrecht of the German Green party. He had to negotiate this compromise with so-called "shadow rapporteurs" by each other European Parliament party. Generally the Greens, Social Democrats and Left Party were pushing for a higher level of protection, while the European People's Party was largely taking positions in the interest of the industry. The Liberals were usually split between economic liberal and social liberal positions.


In many cases there was agreement about problems or open questions, but no agreement on a solution. This often lead to situations where the political players agreed to disagree and knowingly left matters open. In many cases, the discussion was moved from the legally binding text of the Articles to the non-binding Recitals of the GDPR.<blockquote><u>Example:</u> There was agreement that legitimate interests under Article 6(1)(f) GDPR would need further definitions, however there was no agreement as what would form a legitimate interest and what not. The industry lobby has tried to even include personalized advertisement into the definition of legitimate interests. Another proposal to not have any advertisement, but so-called "direct marketing" was also rejected by the majority. In the end there was an agreement to add that "''the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest''" in the non-binding Recital 47. This allowed one side to claim that "''may''" means that it usually is a legitimate interest, while the other side could claim that "''may''" means that this is usually not the case, but that it could be a legitimate interest in the cases defined in Article 13 of the ePrivacy Directive. </blockquote>In summary, there are many open issues in the GDPR today. They were usually identified by the lawmakers, but intense lobbying and the need to come to a compromise lead to situations where these matters were not regulated clearly enough. While this may have generated jobs for data protection lawyers and consultants, many controllers and data subjects often suffer from such uncertainties.   
In many cases there was agreement about problems or open questions, but no agreement on a solution. This partly lead to situations where the political players agreed to disagree and knowingly left matters open. In some cases, the discussion was moved from the legally binding text of the Articles to the non-binding Recitals of the GDPR.<blockquote><u>Example:</u> There was agreement that legitimate interests under Article 6(1)(f) GDPR would need further definitions, however there was no agreement as what would form a legitimate interest and what not. The industry lobby has tried to even include personalized advertisement into the definition of legitimate interests. Another proposal to not have any advertisement, but so-called "direct marketing" was also rejected by the majority. In the end there was an agreement to add that "''the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest''" in the non-binding Recital 47. This allowed one side to claim that "''may''" means that it usually is a legitimate interest, while the other side could claim that "''may''" means that this is usually not the case, but that it could be a legitimate interest in the cases defined in Article 13 of the ePrivacy Directive. </blockquote>In summary, there are certain open issues in the GDPR today. They were usually identified by the lawmakers, but intense lobbying and the need to come to a compromise lead to outcomes where these matters were not regulated clearly enough. While this may have generated jobs for data protection lawyers and consultants, controllers and data subjects often suffer from such uncertainties.   


Based on the so-called "Albrecht Report" the compromises were approved by relevant LIBE committee in October 2013 with a 49 vote majority, one vote against the proposal and three abstentions.  In March 2014 the Plenary of the European Parliament has equally voted for the report with 621 against 10 votes and 22 abstentions - so about 95%.   
Based on the so-called "Albrecht Report" the compromises were approved by relevant LIBE committee in October 2013 with a 49 vote majority, one vote against the proposal and three abstentions.  In March 2014 the Plenary of the European Parliament has equally voted for the report with 621 against 10 votes and 22 abstentions.<ref>See voting list of the European Parliament: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=23714&l=en</ref> The GDPR thereby revived support of about 95% fo the Members of the European Parliament and had very strong democratic backing.   


It was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.  
The European Parliament position was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.  


=== Position of the European Council ===
=== Position of the European Council ===
The European Council is mad up of the EU Member States. Every six months another Member State is holding the presidency and is in charge of coordinating the position of the Member States.  
The European Council is mad up of the EU Member States. Every six months another Member State is holding the presidency and is in charge of coordinating the position of the Member States.  


In practice the GDPR negotiations were held in the so-called DAPIX working group, where rotating presidencies have issues partial proposals and agreements. Member States have submitted countless ideas, proposals for changes and reservations on each paragraph of the law. Most of these documents were marked confidential during the GDPR negotiations - nevertheless many of the proposals were leaked.  
In practice the GDPR negotiations were held in the so-called DAPIX working group, where rotating presidencies have issued partial proposals and agreements. Member States have submitted countless ideas, proposals for changes and reservations on each paragraph of the law. Most of these documents were marked confidential during the GDPR negotiations - nevertheless many of the proposals were leaked or became available after the end of the legislative process.  


While many of these documents are now available as PDFs, it is hard to follow the inner workings of the Council working groups and get a detailed overview about the reasons for changes to the Commission proposal. It is however clear, that the Council has often had a more in-depth debate of legal concepts and interaction with national law. Overall the Council also took a more business friendly approach and opposed many changes proposed by the European Parliament.
While many of these documents are now available as PDFs, it is hard to follow the inner workings of the Council working groups and get a detailed overview about the reasons for changes to the Commission proposal. It is however clear, that the Council has often had a more in-depth debate of legal concepts and interaction with national law. Overall the Council also took a more business friendly approach and opposed many changes proposed by the European Parliament.


=== Trilogue ===
=== Trilogue ===
Contrary to the official legislative process in the European treaties, the three relevant legislative players (Commission, Parliament and Council) bring their versions of any new law into alignment in so-called trilogues.  
Contrary to the official legislative process in the European treaties, the three relevant legislative players (Commission, Parliament and Council) regularly bring their versions of any new law into alignment in so-called trilogues.  


Given that the trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.
Given that the trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.
Line 287: Line 288:
In December 2015 the trilogue has come to an agreement on the final text of the GDPR. After further administrative steps and final votes, the text was published on 4 May 2018 in the Official Journal of the EU and was applicable from 25 May 2015, which also triggered the two year deadline until the GDPR became applicable on 25 May 2018.
In December 2015 the trilogue has come to an agreement on the final text of the GDPR. After further administrative steps and final votes, the text was published on 4 May 2018 in the Official Journal of the EU and was applicable from 25 May 2015, which also triggered the two year deadline until the GDPR became applicable on 25 May 2018.


=== Lobbying influence ===
While political reactions may be different based on culture and history, within the European Member States, but also on a global scale, there is clearly an overall desire to increase protections of personal data globally.<ref>See XXX</ref> The fact that these desires are not always be turned into laws seems to be based on the lack of democratic participation in many areas of the world, or political gridlock in developed democracies. While there is a common narrative that Europeans would care more about the protection of their personal data, there is clear empirical evidence that there are majorities for such protections globally.
The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back the input from industry lobbyists do not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps and unclear wording in the final text.  


While large controllers with large legal departments may use these ambiguities and gaps today in an attempt to escape the GDPR, it seems to us that most normal controllers suffer from these approaches. Some years into the application of the GDPR it seems that most small and medium businesses just want to ensure compliance, without the need for expensive legal council or expert advice.
The European Union has overcome such gridlock and had broad political support when passing the GDPR. In fact, all but one EU Member State (who has sought higher protections) have voted in favor the GDPR.  


== Legal structure surrounding the GDPR ==
== Legal structure surrounding the GDPR ==
The GDPR is not just itself consisting of 99 articles, but is embedded in a broader legal structure all the way from the European treaties down to national law and guidance by regulators. A good understanding of the overall legal environment allows to navigate the GDPR efficiently and understand the bigger picture.  
The GDPR is not just consisting of 99 articles, but is embedded in a broader legal structure all the way from the European treaties down to national law and guidance by regulators. A good understanding of the overall legal environment allows to navigate the GDPR efficiently and understand the bigger picture.  


=== Treaty Law ===
=== Treaty Law ===
Line 299: Line 299:


==== Article 8 CFR ====
==== Article 8 CFR ====
The Charter of Fundamental Rights (CFR) is part of the treaties of the European Union since the Treaty of Lisbon entered into force in 2009. The 50 Articles of the CFR ensure that there is a distinct Human Rights catalogue for the EU, which did not exist before.
The Charter of Fundamental Rights (CFR) is part of the treaties of the European Union since the Treaty of Lisbon entered into force in 2009. The 50 Articles of the CFR ensure that there is a distinct Human Rights catalogue for the EU, which did not exist before. Article 8 introduces a new fundamental right to data protection, which reads as follows:<blockquote>'''Article 8'''
 
'''Protection of personal data'''
 
1.   Everyone has the right to the protection of personal data concerning him or her.
 
2.   Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.


Article 8 of the CFR  
3.   Compliance with these rules shall be subject to control by an independent authority.</blockquote>While many other fundamental rights only proclaim a high level area of protection, such as "everyone has the right to freedom of expression", Article 8 CFR is exceptional, as paragraph 2 defines many elements of the right to data protection in more detail. The CFR requires that any law, such as the GDPR, must include elements like the fair processing of personal data (see [[Article 5 GDPR|Article 5(1)(a) GDPR]]), the need to limit the purpose of such processing (see [[Article 5 GDPR|Article 5(1)(b) GDPR]]), the requirement to have a legitimate basis laid down by law (see [[Article 6 GDPR|Article 6(1) GDPR]]), the right to access and the right to rectification (see [[Article 15 GDPR|Articles 15]] and [[Article 16 GDPR|16 GDPR]]). 


Article
The CFR is superior to any ordinary EU law. If the GDPR would violate the CFR, it would have to be annulled by the Court of Justice of the European Union. To avoid annulments, the Court of Justice usually interprets and EU or national law "''in light of the Charter''". This can be a very powerful tool to overcome legal uncertainties when applying the GDPR.


==== Article 7 CFR ====
==== Article 7 CFR ====
xxx
In addition to the explicit right to data protection, the CFR also enshrines a general right to privacy. The right to privacy is definitely broader than the right to data protection. It includes analogue intrusions into a person's privacy, the right to family life of the person's home. At the same time the right to data protection includes specific other rights, such as the right to access or purpose limitation. The interaction between the two fundamental rights is hence unclear and often discussed. In practice, the GDPR must be interpreted in the light of all fundamental rights in the CFR, so a combination of both Articles can be applied. 
 
Article 7 CFR also corresponds to the right to privacy in Article 8 of the European Convention of Human Rights (ECHR). In accordance with Article 52(3) CFR, Articles in the CFR shall be interpreted in line with the meaning and scope of those rights shall in the ECHR, as long as EU law does not provide more extensive protection. This means that via Article 7 and 52(3) CFR, the case-law of the European Court for Human Rights (ECtHR) on Article 7 ECHR may also used as a minimum red line when interpreting the GDPR.
 
==== Article 16 TFEU ====
While Directive 95/46/EC was based on the EU's mandate to ensure the functioning of the European common market, the GDPR is now based on Article 16 TFEU: <blockquote>'''Article 16''' 


Article 7 CFR also corresponds to Article 8 of the European Convention of Human Rights (ECHR). Article 52(3) CFR
1.   Everyone has the right to the protection of personal data concerning them.  


''You can help us fill this section!''
2.   The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.


==== Article 16 TFEU ====
The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.</blockquote>Article 16(1) TFEU is merely repeating Article 8(1) CFR, but does not add any material meaning to it. Paragraph 2 provides for a legal basis to pass the GDPR and [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32018R1725 Regulation (EU) 2018/1725] on the use of personal data by the European Union itself and again requires independent supervisory authorities, just like Article 8(3) CFR.
While Directive 95/46/EC was based on the EU's mandate to ensure the functioning of the European common market,  


=== GDPR ===
=== GDPR ===

Latest revision as of 15:57, 1 February 2024

Overview of GDPR
Gdpricon.png
Chapter 10: Delegated and implementing acts

Intro and background

The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR).

Technical development made large-scale information gathering feasible

Given technical possibilities of automated data processing starting in the 1970ies, information about individuals was increasingly easy to generate, process and keep. For the first time, there was a realistic option to gather even rather trivial information in a fast, efficient and targeted manner and connect such information to generate a detailed picture on an individual. Technical developments have also ended traditional economic and practical limitations of information gathering and sharing in the analogue age, which further amplify the issue.

Example: Storage space used to be so expensive that irrelevant data was instantly deleted, by now storage is often cheaper than implementing proper deletion routines. It is therefore economically more feasible to not delete old data. The principle of data minimization in Article 5(1)(c) GDPR has foreseen this technological development and implements a legal requirement to delete irrelevant data.

While information was always available and traded, the technical and factual options have dramatically increased since the mid of the 20th century. Information did not have to be kept in archives, send in postal mail and analyses by individuals, but could increasingly be processed automatically - dramatically bringing down costs for the use of personal data.

When reading about the initial fears in the 20th century, it becomes obvious that many of the rather futuristic predictions became true decades later, as technology moved on.

Information is power

Since ancient times information was power. Knowledge about the interests, intentions and weak points of another person has always been used to get the upper hand in transactions, relationships or even wars.

Digital information did not just become omnipresent, yet often intangible and invisible, but also lead to enormous power in the hands of anyone that controls the processing of personal data. At the core, the information age now allows certain government and private entities to gather unthinkable amounts of information about other people and entities. Information about a person usually allows to manipulate individual decision making, no matter if this concerns individual purchase decisions, decisions by others about work, life and love or collective political decision making. Even rather trivial personal data, such as personal purchasing preferences can be used by advertisers to trigger transactions that a consumer would otherwise not have engaged in - thereby enriching a business.

Example: If an airline would be able to gather data to find out a passenger is desperate to fly to a certain place at a certain time (e.g. because he must attend a wedding), it could likely double prices. At the same time, the passenger usually would not know that the flight is hardly booked and the airline is desperate to sell seats and will put on a discount the next days.

Such information imbalance can be overcome if a controller may not use the personal data of a passenger in certain ways, or information is simply not available to the controller.

Cultural elements of the right privacy

In addition to rational elements, such as information imbalances, there are also cultural and psychological reasons that lead to the protection of personal data. Topics like personal finances, health, relationships, nudity or sexuality are in many cultures seen as private, even when there is not necessarily a logical reason for these feelings. For historic reasons, some cultures have diverging feelings about government surveillance, the power of large commercial actors and alike. These cultural and historic backgrounds have further influenced the need to regulate the matter.

Legal History

While the history of the right to privacy and now the right to data protection could itself fill books, the following short overview may be useful to understand the broader picture and the background of the GDPR:

Initial national laws and internationalization

The first explicit data protection laws can be traced back to the 1970 data protection act in the German state of Hessen, the US Privacy Act of 1974 or the broad French 1978 Data Protection Act.

Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, the need to internationalize rules and protection quickly became apparent. Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain geographic area, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data".

Directive 95/46/EC and its influence on the GDPR

Realizing the need for an EU framework to ensure the free flow of personal data within the European common market, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.

Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws had to follow and be interpreted in the line with Directive 95/46/EC, but were still transposed into national laws, subject to national developments, case law and national additions.

Contrary to Directive 95/46/EC, the GDPR is a Regulation and therefore directly applicable and must be interpreted solely be reference to EU law, not national traditions. At the same time, the basic principles of Directive 95/46/EC stayed the same in the GDPR.

In practice the large convergence between Directive 95/46/EC and the GDPR meant that previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR. Many issues or problems are the same under the GDPR and existing case law can consequently be a useful a guide when facing the same questions under the GDR. However experts, lawyers, authorities and courts also have a tendency to hold on to more than 20 years of national data protection law and tradition that are not supported by the GDPR anymore. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR, when there is no room under EU law to add such provisions or national interpretations. The strong wish to hold on to existing national approaches is even present in part of the national legal literature on the GDPR.

These nationalistic approaches will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left

GDPR

The European Union does not have a constitution, but the fundamental principles of the Union are enshrined in so-called "treaty law". On 1 December 2009 the Lisbon Treaty came into force. Article 16(2) TFEU provided for a new legal basis in Union law to pass comprehensive data protection legislation. In addition, the rapid development of an international market for digital services and products also required to replace the many national laws and regulations on data protection with one uniform European framework, applicable in the entire European Economic Area.

Proposal by the European Commission

On 25.1.2012 the European Commission has published its proposal for the GDPR,[1] together with a proposal for a directive on the use of personal data in the area of law enforcement.

Core elements from Directive 95/46/EC

The material privacy protections of the GDPR proposal were largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution.

In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,[2] which was passed in 1981 and was signed by 57 countries, including non-European countries.

Technologically neutral, principle based approach

The GDPR follows a technologically neutral approach, which is based on principles, not descriptive rules for each type of processing or each new technology. This is for example in strong contrast with the US approach of sectorial privacy laws that only apply to certain processing situations (like health data, credit ranking or video rentals), but not to many modern processing operations.

Example: Murder is usually defined as intentionally killing another person. It does not matter if a murderer uses a rock or an electric car to run over a victim, it is still murder. A technology neural criminal law only regulates the relevant principle, independent of the method used.

The technologically neutral approach ensures that the GDPR is not outdated (contrary to many populist comments) despite following core principles are about 40 years old.

The technologically neutral approach does however require that abstract principles are fully understood and properly applied to ever changing technology. Many people struggle with this approach in practice, as complex facts and abstract principles often require multiple logical steps to come to a correct conclusion.

The switch from a Directive to a single European Regulation

Switching from a directive to a single European regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into more than 30 national laws, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. Initially Member States were partly opposed to this approach.

In the initial proposal, the European Commission foresaw more than 25 options to further specify the GDPR via delegated acts. This would have allowed the Commission to further legislate elements of the GDPR unilaterally and was met with enormous criticism. Most of these clauses have been removed in the legislative process, without necessarily adding needed specifications via other instruments.

The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. The cooperation in the European Data Protection Board (which replaced the previous Article 29 group) was meant to ensure that certain Member States would not undermine the GDPR by not properly applying or enforcing the law.

On the enforcement side, considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the European Commission as major improvement.

However, the GDPR proposal was not fully consistent when unifying the European data protection landscape, as it was necessary to refer to Member State law (for example when personal data had to be stored in accordance with national tax, safety or contract law). In many cases the GDPR even provided for opening clauses on material data protection law, allowing to regulate certain sectors and issues in national law (such as employee data, freedom of speech or research).

Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities. Unifying these matters would have meant that the GDPR would have required massive changes in national legal systems, which would like have been rejected by the Member States.

In practice this leads to situations where all the core elements of European data protection law are found in the GDPR, but in some cases there is substantial interaction with national material and procedural laws, which regulate national exceptions, the functioning of supervisory authorities or even regulate subject matters that are in fact already regulated in the GDPR.

GDPR as a raw data law

The GDPR was always planned as mainly regulating the use of personal data in a rather binary way. It generally regulates if personal data may be used for a specific purpose, but not how the processing is actually taking place. Once the requirements in the GDPR generally allows any form of processing and does not look into the "black box".

Attempts to regulate the way personal data is processed via algorithms, artificial intelligence and alike were not included in the GDPR proposal, even when traces of such thoughts can be found in some elements of the GDPR and some of the general principles can be used to regulate issues that may come from the use of problematic ways of processing information.

There are ongoing debated to regulate the "black box" in separate legal instruments and the European Union has passed additional regulations, such as the Digital Services Act or the Digital Markets Act. An additional Artificial Intelligence Act is also in the making. For practitioners, this means that knowledge of these other acts may also be relevant in many cases.

The fate of Commission buzzwords

In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail. While these buzzwords were highlighted a lot during the initial phases of the debates, reality has shown that they have not translated to material changes in practice.

Lobbying influence

The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back, the input from industry lobbyists does not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps and unclear wording in the final text.

While large controllers with large legal departments may use these ambiguities and gaps today in an attempt to escape the GDPR, it seems that most normal controllers suffer from these approaches. Some years into the application of the GDPR, it became apparent that most small and medium businesses just want to ensure compliance, without the need for expensive legal council or expert advice. This is often made harder by rather vague concepts and legislation.

Position of the European Parliament

The Members of the European Parliament have proposed about 4.000 amendments to the GDPR. As each Member of the European Parliament was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions, some amendments were copied directly from lobby papers that were sent to the Members of Parliament.

In the European Parliament a "rapporteur" is in charge of finding a compromise among the amendments. In the case of the GDPR the rapporteur was Jan Albrecht of the German Green party. He had to negotiate this compromise with so-called "shadow rapporteurs" by each other European Parliament party. Generally the Greens, Social Democrats and Left Party were pushing for a higher level of protection, while the European People's Party was largely taking positions in the interest of the industry. The Liberals were usually split between economic liberal and social liberal positions.

In many cases there was agreement about problems or open questions, but no agreement on a solution. This partly lead to situations where the political players agreed to disagree and knowingly left matters open. In some cases, the discussion was moved from the legally binding text of the Articles to the non-binding Recitals of the GDPR.

Example: There was agreement that legitimate interests under Article 6(1)(f) GDPR would need further definitions, however there was no agreement as what would form a legitimate interest and what not. The industry lobby has tried to even include personalized advertisement into the definition of legitimate interests. Another proposal to not have any advertisement, but so-called "direct marketing" was also rejected by the majority. In the end there was an agreement to add that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest" in the non-binding Recital 47. This allowed one side to claim that "may" means that it usually is a legitimate interest, while the other side could claim that "may" means that this is usually not the case, but that it could be a legitimate interest in the cases defined in Article 13 of the ePrivacy Directive.

In summary, there are certain open issues in the GDPR today. They were usually identified by the lawmakers, but intense lobbying and the need to come to a compromise lead to outcomes where these matters were not regulated clearly enough. While this may have generated jobs for data protection lawyers and consultants, controllers and data subjects often suffer from such uncertainties.

Based on the so-called "Albrecht Report" the compromises were approved by relevant LIBE committee in October 2013 with a 49 vote majority, one vote against the proposal and three abstentions. In March 2014 the Plenary of the European Parliament has equally voted for the report with 621 against 10 votes and 22 abstentions.[3] The GDPR thereby revived support of about 95% fo the Members of the European Parliament and had very strong democratic backing.

The European Parliament position was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.

Position of the European Council

The European Council is mad up of the EU Member States. Every six months another Member State is holding the presidency and is in charge of coordinating the position of the Member States.

In practice the GDPR negotiations were held in the so-called DAPIX working group, where rotating presidencies have issued partial proposals and agreements. Member States have submitted countless ideas, proposals for changes and reservations on each paragraph of the law. Most of these documents were marked confidential during the GDPR negotiations - nevertheless many of the proposals were leaked or became available after the end of the legislative process.

While many of these documents are now available as PDFs, it is hard to follow the inner workings of the Council working groups and get a detailed overview about the reasons for changes to the Commission proposal. It is however clear, that the Council has often had a more in-depth debate of legal concepts and interaction with national law. Overall the Council also took a more business friendly approach and opposed many changes proposed by the European Parliament.

Trilogue

Contrary to the official legislative process in the European treaties, the three relevant legislative players (Commission, Parliament and Council) regularly bring their versions of any new law into alignment in so-called trilogues.

Given that the trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.

In December 2015 the trilogue has come to an agreement on the final text of the GDPR. After further administrative steps and final votes, the text was published on 4 May 2018 in the Official Journal of the EU and was applicable from 25 May 2015, which also triggered the two year deadline until the GDPR became applicable on 25 May 2018.

While political reactions may be different based on culture and history, within the European Member States, but also on a global scale, there is clearly an overall desire to increase protections of personal data globally.[4] The fact that these desires are not always be turned into laws seems to be based on the lack of democratic participation in many areas of the world, or political gridlock in developed democracies. While there is a common narrative that Europeans would care more about the protection of their personal data, there is clear empirical evidence that there are majorities for such protections globally.

The European Union has overcome such gridlock and had broad political support when passing the GDPR. In fact, all but one EU Member State (who has sought higher protections) have voted in favor the GDPR.

Legal structure surrounding the GDPR

The GDPR is not just consisting of 99 articles, but is embedded in a broader legal structure all the way from the European treaties down to national law and guidance by regulators. A good understanding of the overall legal environment allows to navigate the GDPR efficiently and understand the bigger picture.

Treaty Law

The European Union does not have a constitution, but is primary law is instead found in the treaties. Treaty law is higher ranking than normal European legal acts, like regulations, directives or decisions. The European treaties require the protection of personal data as a human right, which can only be changed by a unanimous agreement of all EU Member States.

Note: If a European legal act like the GDPR would violate treaty law, it would have to be annulled by the European Court of Justice (CJEU). To avoid such a situation legal acts are usually interpreted to be in compliance with treaty law. Consequently the CJEU usually interprets the GDPR in light of treaty law, which makes treaty law especially relevant when working with the GDPR.

Article 8 CFR

The Charter of Fundamental Rights (CFR) is part of the treaties of the European Union since the Treaty of Lisbon entered into force in 2009. The 50 Articles of the CFR ensure that there is a distinct Human Rights catalogue for the EU, which did not exist before. Article 8 introduces a new fundamental right to data protection, which reads as follows:

Article 8

Protection of personal data

1.   Everyone has the right to the protection of personal data concerning him or her.

2.   Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3.   Compliance with these rules shall be subject to control by an independent authority.

While many other fundamental rights only proclaim a high level area of protection, such as "everyone has the right to freedom of expression", Article 8 CFR is exceptional, as paragraph 2 defines many elements of the right to data protection in more detail. The CFR requires that any law, such as the GDPR, must include elements like the fair processing of personal data (see Article 5(1)(a) GDPR), the need to limit the purpose of such processing (see Article 5(1)(b) GDPR), the requirement to have a legitimate basis laid down by law (see Article 6(1) GDPR), the right to access and the right to rectification (see Articles 15 and 16 GDPR).

The CFR is superior to any ordinary EU law. If the GDPR would violate the CFR, it would have to be annulled by the Court of Justice of the European Union. To avoid annulments, the Court of Justice usually interprets and EU or national law "in light of the Charter". This can be a very powerful tool to overcome legal uncertainties when applying the GDPR.

Article 7 CFR

In addition to the explicit right to data protection, the CFR also enshrines a general right to privacy. The right to privacy is definitely broader than the right to data protection. It includes analogue intrusions into a person's privacy, the right to family life of the person's home. At the same time the right to data protection includes specific other rights, such as the right to access or purpose limitation. The interaction between the two fundamental rights is hence unclear and often discussed. In practice, the GDPR must be interpreted in the light of all fundamental rights in the CFR, so a combination of both Articles can be applied.

Article 7 CFR also corresponds to the right to privacy in Article 8 of the European Convention of Human Rights (ECHR). In accordance with Article 52(3) CFR, Articles in the CFR shall be interpreted in line with the meaning and scope of those rights shall in the ECHR, as long as EU law does not provide more extensive protection. This means that via Article 7 and 52(3) CFR, the case-law of the European Court for Human Rights (ECtHR) on Article 7 ECHR may also used as a minimum red line when interpreting the GDPR.

Article 16 TFEU

While Directive 95/46/EC was based on the EU's mandate to ensure the functioning of the European common market, the GDPR is now based on Article 16 TFEU:

Article 16

1.   Everyone has the right to the protection of personal data concerning them.

2.   The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.

Article 16(1) TFEU is merely repeating Article 8(1) CFR, but does not add any material meaning to it. Paragraph 2 provides for a legal basis to pass the GDPR and Regulation (EU) 2018/1725 on the use of personal data by the European Union itself and again requires independent supervisory authorities, just like Article 8(3) CFR.

GDPR

To navigate the GDPR it is useful to get an overview of all the elements of the regulation.

Recitals

EU legal acts usually start with so-called recitals. These recitals should explain the rational and intention of the actual legal text in the Articles. Recitals are not legally binding, but are often used to interpret the legally binding text in the Articles. If there is a mismatch between the Recitals and the Articles, the Articles prevail. In the political process that lead to the final text of the GDPR, the negotiators have sometimes outsourced issues to the Recitals, hoping that this would allow a compromise between the political players.

This practice has lead to a situation where the 173 Recitals are sometimes less of an explanation of the substantial law, but are indeed trying to replace it.[5] It will be interesting to see if the CJEU, the supervisory authorities and the national courts will at all times follow such substantial provisions in the Recitals. In many cases, there seems to be no other option.

Chapters

The GDPR is split into eleven chapters, which makes it easier to find relevant provisions.

Chapter 1 includes the general provisions, including the scope of the law and the definitions. While both seems rather technical, these material and territorial scope are crucial to understand if the GDPR even applies to a certain situation. Equally, a good understanding of the definitions ensures that the law is applied correctly. This is especially true, as the GDPR sometimes uses a very specific vocabulary.

Chapter 2 can be seen as the core of the GDPR. The principles in Articles 5 and 6 largely regulate if personal data may be processed or not. Other provisions in this chapter are dealing with special situations that are not covered in the general provisions in Articles 5 and 6, such as the use of special categories of data, data relating to criminal convictions or offenses or the conditions for consent.

Chapter 3 regulates the rights of the data subject, allowing data subjects to get information and take some control of the processing of their personal data.

Chapter 4 holds a lot of general duties of controllers and processors, like the duty of processors to follow the directions of a controller, or the duty have adequate data security measures in place. Some of these duties are not applying to all controller and processors, some are even optional, like codes of conduct or certifications.

Chapter 5 regulates data flows that leave the EU/EEA and how personal data can be protected once it leaves the European market.

Chapter 6 and 7 regulates the basic principles around the supervisory authorities as well as how they cooperate on a European level, including via the European Data Protection Board (EDPB).

Chapter 8 deals with the enforcement of the GDPR, including the options to bring complaints, file lawsuits, issue fines or demand damages.

Chapter 9 includes a number of opening clauses for Member States to regulate special processing situations, for example in the context of employment, religious organizations, archives, freedom of speech, professional secrecy or freedom of information.

Chapters 10 and 11 deal with delegated acts, the interaction with other EU law, monitoring and the coming into force of the GDPR.

Articles

Other than the 173 Recitals, the 99 Articles of the GDPR contain the legally binding elements. Most Articles have numbered paragraphs and alphabetical sub-paragraphs.

Other EU law

The GDPR is by far not the only relevant data protection law on the European level. The following other regulations and directives apply to certain processing operations or sectors:

ePrivacy Directive 2002/58/EC

The ePrivacy Directive 2002/58/EC is dealing with various privacy-related matters in the telecoms sector, including specific rules like privacy in telecommunication, the option to hide the caller number, the use of metadata by telecoms providers and alike.

Outside of the telecoms sector, this directive is mainly known as the "EU cookie law": Article 5(3) of the ePrivacy Directive requires that information in a terminal equipment (such as a phone or a computer) may only be stored or accessed if a user gave consent within the meaning of the GDPR.

In addition, Article 13 of the ePrivacy Directive regulates unsolicited communication ("Spam") in the EU, requiring that controllers either get consent or merely send information to existing customers ("direct marketing"), with the option to object to such marketing emails.

Currently the ePrivacy Directive acts as a lex specials, further determining the right to privacy in communication. Currently each Member States has an implementation of the ePrivacy Directive, often as a separate national law, as part of the GDPR implementation or as part of a telecommunication act. Each Member State can choose the authority that is in charge of enforcing the ePrivacy Directive. In many cases this is (at least for certain articles) the relevant supervisory authority, but often also the telecoms regulator.

The ePrivacy Directive was planned to be turned into a regulation, together with the coming into force of the GDPR, but so far there is no agreement between the European Commission, the European Parliament and the European Council on the details of the new regulation.

eCommerce Directive 2000/31/EC

While the eCommerce Directive does not directly regulate data protection matters, but fair market behavior in online commerce. However, certain elements like the requirement to have a proper imprint, or the need to have functioning contact details on each website that operates on the European market often overlap with information and communication requirements under the GDPR.

Data Protection Regulation (EU) 2018/1725 on EU Institutions

The GDPR generally applies to private and public entities, but not to EU institutions itself. The processing of personal data by EU agencies, the European Commission, the European Parliament or for example EUROPOL is regulated by a separate Regulation (EU) 2018/1725. In general, the Regulation is very similar to the GDPR.

There is a separate supervisory authority for EU institutions, the European Data Protection Supervisor (EDPS), who is tasked with enforcing Regulation (EU) 2018/1725 within the EU institutions.

Data Protection Directive (EU) 2016/680 on the Criminal Law Sector

At the same time as the European Commission has published its proposal for the GDPR, it has also published the proposal for Directive (EU) 2016/680 "on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data". It mainly applies to state bodies in the criminal law sector, which are except from the GDPR. It replaced an earlier Council Framework Decision and is usually transposed into a national law in each Member State.

National Implementation Laws

While the GDPR regulates the core material and procedural elements, many details require national implementations. In these areas the GDPR is more functioning like a Directive, providing Member States with a rough structure, but leaving it to Member States to regulate the details. This includes national procedures before the courts and the supervisory authorities, the setting up of these authorities or the use of various opening clauses.

Most Member States have passed some form of a data protection act, which implements the GDPR. In addition to a data protection act, individual provisions were added to many national laws regulating certain sectors. It can take serious research to find all relevant provisions and decide which provision is applicable in each case.

Especially in cross-country contexts, there may be overlapping national uses of opening clauses, as the GDPR allows Member States to pass additional legislation, but there is no European conflict of law provision. It is up to each Member State to clarify if a national provision for example only applies to controllers that are established within their territory, or for any controller operating within their territory.

Interpretation of the GDPR

General remarks on the interpretation of EU law

EU law is usually interpreted using the common forms of legal interpretation, namely grammatical interpretation (using the literal meaning), historical interpretation (using the documents of the political process), systematic interpretation (considering the context of provisions and other EU laws), teleological interpretation (considering the purpose of the statute). Given that the GDPR is implementing the fundamental right to data protection, an interpretation in line with the CFR is more relevant for the GDPR than for most other EU acts.

As EU law is equally authentic in all 24 official languages of the Union and many words have a distinct legal meaning in different languages, it is important to note that there can be differences in various language versions. Instead of a purely grammatical interpretation, the CJEU therefore often focuses on a teleological interpretation (ratio legis) when trying to understand the purpose of the law. This allows to overcome translation issues.

National law, national traditions or case law is usually not relevant when interpreting European law. European law forms a supranational body of law and has to be strictly separated from national law and traditions, even when this often proofs to be easier said than done. In reality many national laws go beyond the opening clauses in the GDPR or even try to reinterpret parts of the law, when regulating issues that are already regulated by the GDPR in national law. In such cases, the national law may not be applied, as EU law trumps national law.

EDPB and National Guidance

You can help us fill this section!

Enforcement of the GDPR

You can help us fill this section!

  1. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN
  2. https://rm.coe.int/1680078b37
  3. See voting list of the European Parliament: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=23714&l=en
  4. See XXX
  5. For example, there was no agreement on any more detailed definition legitimate interests in Article 6(1)(f) GDPR. More details can only be found in Recitals 47 to 49.