Since 25 May 2018, European privacy legislation has changed fundamentally: The European Data Protection Regulation (EU) 2016/679 (GDPR) came into force and harmonized data protection law across the EU. The GDPR is directly applicable in all EU member states and also stipulates some opening clauses for local laws and regulations of each EU member state.
Privacy issues first appeared in some European countries in the 1970s, when countries started to process their citizens' data on a massive scale - which led to the first privacy laws. The demand for protection increased in the 1980s when private companies started gathering data about their customers. A common protection system was then implemented across Europe, followed by the EU Data Protection Directive in the 1990s (Directive 95/46/EC). Every European country had to adapt this set of rules to their national regulations. But as technology transformed the way personal data is handled substantially in the last twenty years, a review of the existing rules was needed. In 2016, the EU adopted the GDPR, which replaces the 1995 Data Protection Directive.
Privacy is a fundamental human right recognized in the UN Declaration of Human Rights, the International Convenant on Civil and Political Rights and in many other international and regional treaties.
Art. 1 Sec. 2 of the GDPR states: ‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’
The GDPR provides a high level of data protection and is directly applicable in all EU member states. Companies (outside the EU) may also be subject to the GDPR if the „establishment“ of a company is collecting personal data of an EU Member State or is addressing the EU market even if this establishment is located outside of the EU.
The European Data Protection Board (EDPB) is an EU body in charge of the application of the General Data Protection Regulation (GDPR) as of 25 May 2018. The Board will not only issue guidelines on the interpretation of core concepts of the GDPR but also be called to rule by binding decisions on disputes regarding cross-border processing.
According to Chapter 6 of the GDPR, each EU member state shall provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR. Those data protection authorities (DPAs) supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws.
Infringements of the GDPR may lead to fines up to 20 Million € or 4% of the total worldwide annual turnover of a company.
The above mentioned common ground allows data transfers within the EU borders (provided that the principles of Art. 5 GDPR are adhered to); however, when personal data leaves the EU, the same level of protection and compliance must be guaranteed by additional safeguards.
The GDPR provides multiple solutions to ensure compliance, whether you export data mainly to the US or worldwide. Other solutions may apply if you have either just a few or hundreds of contractors outside Europe. It is important to be careful when choosing between Privacy Shield (see: Data transfer framework)), Binding Corporate Rules, Standard Contract Clauses, or even creating your own Compliance process.
Despite the European common ground, each country still has its own different law system. For instance, Compliance rules differ depending on the local culture, for example there are huge differences between UK and Greece. And of course every form has to be filled in using the local languages.
Furthermore, there are several opening clauses in the GDPR meaning that EU member states can modify the provisions of the GDPR-Article in which the clause resides.
The General Data Protection Regulation (GDPR) has established the concept of a Data Protection Officer (DPO) in Europe. Thus - while i.e. the US Chief Privacy Officer (CPO) has no formal or legal existence - the European DPO gets his rights from law.
Companies need to appoint a DPO if: it is a public authority, it engages in systematic monitoring of people, or it processes sensitive personal data on a large scale. A DPO can be appointed from within an organization or hired externally. Tasks of the DPO include: