As different personal data protection rules and practices in the EU member states were found to hamper the development of the single market, the GDPR transfers the competence to the European institutions.
In view of the fact that from the adoption of present legal framework based on the Directive 95/46/EC, information technology has made significant progress and has become an integral part of our everyday lives, the change of the legal framework was undoubtedly due and necessary.
At the time the Directive was adopted and entered into force, the Internet had few users. According to the World Bank, less than one percent of Europeans used it, most of whom relied on Netscape’s Internet browser, which was the first to provide secure communications (SSL), and Windows 95 – the computers of the lucky few were driven by the then most powerful Pentium 133 processor. Some months prior to the adoption and entry into force of the Directive, Larry Page and Sergey Brin (who would become the founders of Google) met for the first time. After the Directive had entered into force, it took another three years for the Nokia 5110 mobile phone to appear, six years for smart phones to be used on a large scale in Japan, nine years for the social network Facebook to be used by the public, and more than ten years for the first cloud service to appear.
The European legislator could not have been expected to take account of these factors related to information privacy when adopting the Directive. The traps and risks for personal data, on the one hand, and the incapacity of the existing legal framework to encourage the development of the single market, on the other, only became apparent during the 22-year-long existence of the Directive.
In the process of adopting the GDPR, the European Commission proposed and managed to incorporate several essential complements to the existing principles of personal data protection. It shaped its proposals based on practical experience and the decisions of the Court of Justice of the European Union.
From the perspective of supervision, the new rules will facilitate the one-stop-shop principle, by which the national supervisor of the EU member state where the entity obligated to protect personal data has its main seat will be the competent supervisory authority.
New principles of privacy by design and privacy by default will oblige entities to design products and services from ground up around the idea of privacy in order to attract more consumers and have the highest level of privacy protection options turned on by default.
The new legal framework will affect the business of entities which are not domiciled in an EU member state but offer products or services or exert control over individuals in the European Union. The aforementioned entities will have to appoint a representative in the European Union and align their business with the new legal framework.
Under the new legal framework, children will only be able to approve of the processing of their personal data with their parents’ consent, and the processing of data of children for purposes of contract execution will also be limited. Generally, there will be more requirements for consent. Processing of sensitive data, which will now also include genetic data, and transfer of personal data outside the European Economic Area will both even be subject to an express act of consent.
The individuals to whom the personal data relate will acquire more robust rights, inter alia, the right to be forgotten, while the data controllers will be obligated to provide more extensive information on their procedures – however, not at the cost of comprehensibility and transparency.
Entities whose business activity involves a high level of risk related to personal data will need to conduct a risk assessment procedure and consult the national supervisor before initiating data processing, which represents additional time pressure in the process of implementing projects.
The GDPR requires adequately protection of personal data against unauthorized access on the data storage medium which is used for processing; with respect to existing data threats, this cannot be imagined without the use of advanced safeguards and encryption methods.
Public entities obligated to protect data, entities that, due to the nature of their activity, regularly and systematically monitor personal data, and entities that process sensitive personal data will need to appoint an authorized person for the protection of personal data, who will only be responsible to the top management bodies within the entity obligated to protect data, and responsible primarily for all questions with reagrd to personal data protection.
The entities obligated to protect data will need to ensure that they are able to prove, at any time, to the national supervisors that they fulfil all the requirements. In some cases, the fulfilment of the requirements can also be ensured by subscribing to codes of conduct approved in advance by the national supervisor, or by obtaining certification from the certifying authority – generally prior to the commencement of the processing of personal data.
The national supervisors will be entitled to conduct monitoring of entities obligated to protect personal data, issue reminders, or prohibit processing of personal data. For a violation of the legal requirements, an entity obligated to protect data shall face a penalty in the amount of 4% of its global annual turnover or €20 million, and said entity shall also compensate the damage suffered by the individuals affected.
The GDPR should silence those who advocate economic progress at the cost of human rights, promote electronic commerce, strengthen and stimulate the development of the single market, and eliminate the administrative barriers to trade. The countdown to the commencement of the new legal framework has begun. The final year before GDPR enters into force will pass quickly, and preparations need therefore be made today.