The General Data Protection Regulation (GDPR) came enforceably into effect on May 25th, 2018, though it was adopted in April 2016. Most international privacy laws encompass the country where they were drafted and passed, e.g. Brazil, South Africa, or China. The GDPR, however, covers the EU countries and the three additional European Economic Area (EEA) countries.
The GDPR is arguably the best known and most influential of the global privacy laws passed to date, as well as continuing to influence current legislation. It’s not the first international privacy law, however. Canada’s (PIPEDA) was passed in 2000 and South Africa’s (POPIA) was passed in 2013, for example. The world’s first data protection legislation was enacted in 1970 in the German state of Hesse.
The GDPR very clearly defines key aspects of privacy law, like legal bases for data processing, definitions of valid consent and extraterritoriality. We will look at these in more detail, as well as their influence in the EU and abroad.
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a privacy law that requires organizations to uphold privacy rights of “anyone in EU territory”, if offering them goods or services, as well as safeguarding personal data that has been collected or processed. The GDPR replaced the 1995 Data Protection Directive, which created data protection laws on a country by country basis, resulting in a less cohesive patchwork of regulations in Europe.
The GDPR applies to companies based in the EU, but also companies or organizations based elsewhere that conduct operations there. The regulation requires the implementation of seven principles of data protection and facilitates eight privacy rights for consumers. Member states have their own data protection authorities to handle enforcement; it is not handled by a central authority.
Seven principles for lawful processing of personal data under the GDPR
Per Art. 5 these are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
What are consumers’ rights under the General Data Protection Regulation?
The GDPR provides the data subject with eight explicit rights under Chapter 3 (Art. 15-22). These are:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to be notified (regarding rectification, erasure, or restriction of processing)
- Right to data portability
- Right to object (to processing)
- Right regarding automated individual decision-making, including profiling
Key definitions from the General Data Protection Regulation
Art. 4 has a full list of definitions of important terms used in the GDPR, however, we’ve included some of the most relevant and frequently used.
Personal data
“Any information that relates to an individual who can be directly or indirectly identified” using it. This can include obvious information like names, ID numbers, phone numbers or email addresses, but also IP addresses, browser cookies, or sensitive personal details like gender, religious beliefs or political affiliation (Art. 9).
Data processing
“Any action performed on data, whether automated or manual.” This can include, among other actions, “collecting, recording, organizing, structuring, storing, using, erasing…”
Data subject
“The person whose data is processed.” For companies online, most commonly this would include visitors to a website, customers, or app users.
Data controller
“The person who decides why and how personal data will be processed.” Most commonly this is a company or international organization. The controller also liaises with and directs the data processor, if that entity is a third party.
Joint controller
When two or more data controllers decide the purposes and means of data processing individually or jointly. (Learn more: Joint Controllership and the GDPR: what you need to know)
Data processor
“A third party that processes personal data on behalf of a data controller.” This could include a wide variety of entities, most commonly external. Employees of a data controller acting within the scope of their employment duties are typically considered agents of the data controller, not data processors. Data processors can range from cloud-based server providers to email service providers, adtech or martech companies and more.
Legal bases and legitimate interest in the General Data Protection Regulation
Art. 6 covers “Lawfulness of processing”, or legal bases, as they’re commonly referred to. These are the circumstances under which data processing by a controller is legal. While user consent is probably the one that comes most easily to mind, there are six in total:
- the data subject has given consent
- performance of a contract with the data subject
- compliance with a legal obligation to which the data controller is subject
- to protect the vital interests of the data subject or of another natural person
- in the public interest, or the data controller is exercising official authority
- legitimate interests pursued by the controller or by a third party
Companies need to be careful where legitimate interest is concerned (Recital 47). It can be convenient for a data controller to claim, as it avoids having to obtain and store user consent. However, it also has to be provable to authorities. And, under the GDPR, legitimate interest does not apply “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Consent as defined by the General Data Protection Regulation
Consumers online are often asked for their consent for collection and processing of their personal data multiple times a day. Websites regularly pop up cookie walls or banners asking for consent, and provide varying levels of transparency in communicating rights and options, granularity in customizing consent choices, or rejecting consent altogether. (Many cookie banners are still not GDPR-compliant.)
Recital 32 lists the GDPR’s conditions for valid consent:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
The Recital also outlines conditions that are not valid for consent and how to accurately represent the scope of the consent request:
“Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Communications or user interface features that manipulate or trick users into providing consent or otherwise completing actions they may not have otherwise chosen are known as “dark patterns”. Legislators and authoritative bodies are taking an increasingly negative view of such activities and organizations that employ them.
Art. 7 outlines conditions for consent with the data controller’s responsibilities:
- the controller has to be able to prove that the data subject consented to the processing of their data
- if consent is given in a written declaration covering other matters, the request for consent has to be presented in a clearly distinguishable way, intelligibly and easily accessible, with clear and plain language
- the data subject must be able to withdraw consent at any time, and it has to be as easy to do so as to grant consent
- performing a contract or providing services cannot be provisional upon receiving the data subject’s consent if consent is not necessary to perform the contract or provide services
Opt-in vs. Opt-out
The GDPR uses an “opt-in” model of user consent, which means that organizations cannot collect or process data until the user – an online shopper, website visitor, app user, etc. – consents to it. This requirement includes both personal data like names and email addresses, but also quite granular and “behind the scenes” data. For example, under the GDPR users must consent to the use of cookies and other tracking technologies on websites before those services are allowed to be active for that user’s online activities.
Internationally, many laws like Brazil’s Lei Geral de Proteção de Dados Pessoais / General Data Protection Law (LGPD) and South Africa’s POPIA also use this consent model. In the United States, however, to date an “opt-out” model of user consent has been implemented at the state level (in California, Virginia, and Colorado where privacy laws have been enacted). Organizations subject to these regulations do not have to obtain user consent prior to collection of data, but do have to obtain consent prior to selling the data. There are some exceptions to this, including when the data belongs to children (Art. 8) or has been classified as “sensitive” (Art. 9).
Companies’ responsibilities under the General Data Protection Regulation
Two key questions from companies around which hundreds of millions of people’s personal information and privacy and the world’s second largest economy evolve are: “Who does the GDPR apply to?” and “What is GDPR compliance?”
Most broadly, the GDPR’s principles affirm that if companies are going to collect and process the personal data of “anyone in EU territory”, they need to have a provable legal basis for doing so, like user consent, performance of a contract, or public interest, per Art. 6. They also need to safeguard that data once they have it (Art. 25). Companies don’t have to experience a data breach to be found in violation of the GDPR, but it’s certainly more likely that a company would come to the attention of the authorities if there’s a complaint against them. (The right to lodge a complaint is covered in Art. 77.)
Among other responsibilities, in pursuing GDPR compliance, companies must clearly communicate what categories of data they collect, for what purposes it’s being collected, how it’s being collected, and who will have access to it (Recital 39). There must also be contractual agreements in place between the processor and third-party processors (Art. 28). If any of these circumstances change, the data subject must be notified and consent obtained for the new circumstances. A privacy policy on the company’s website is a common location to present this information.
With some exceptions, data controllers can’t retain the data for any longer than is necessary to complete the purpose for which it was collected (Art. 5). They are obligated to delete it upon request by the data subject and notify the subject upon completion of the request (Art. 17).
Data subjects also have the right to revoke their consent to collection and processing of their data at any time under the GDPR, even if they previously provided consent. The law also requires that it be as easy to revoke consent as it was to give it.
The GDPR provides considerable guidance on implementation of data privacy procedures (Art. 24-25) and on achieving compliance. For example, in many cases appointment of a data protection officer is required within the organization (Art. 37-39), and it addresses both business-to-consumer (B2C) and business-to-business (B2B) operations.
Exceptions to the scope of the GDPR
Per Art. 2 on the material scope of the GDPR, it does not apply in all circumstances of data processing. Exceptions include activities that:
- fall outside the scope of European Union law
- fall within the scope of Title V, Chapter 2 of the Treaty on European Union
- are by an individual (natural person) in the course of a purely personal or household activity
- are for law enforcement purposes (e.g. crime prevention, investigation or prosecution), including preventing threats to public security
There are exemptions for other authorities as well (e.g. tax, customs, etc.) in the course of fulfilling their duties, as outlined by Recital 31. Art. 89 also has exceptions for scientific, statistical and historical purposes, and Recital 153 has considerations relating to journalism, academia, artistic and/or literary expression.
With regards to data itself, rather than its processing specifically, Recital 26 outlines exceptions that apply to anonymized/pseudonymized data.
Joint controllership
Data processing is not always controlled by a single entity. Per Art. 26: “Where two or more controllers jointly determine the purposes and means of processing they shall be joint controllers”. Joint controllers must have a recorded arrangement between them, outlining respective roles and responsibilities.
Per the GDPR, all parties have responsibilities regarding transparency about their data processing arrangement, adherence to data subjects’ rights and the provision of information as outlined in Art. 13 and 14. Data subjects may exercise their rights against any or all controllers in a joint controllership arrangement.
Learn more: Joint Controllership and the GDPR: what you need to know
Extraterritoriality applications of the General Data Protection Regulation
As noted in Art. 3, the GDPR applies to organizations that process the personal data of “anyone in EU territory” in the course of offering goods or services or monitoring behavior, regardless of whether or not there is payment. It doesn’t matter if the company is headquartered in the EU or even has a physical presence there.
Further, Recital 25 outlines the applicability of the GDPR as a consequence of the applicability of international law:
“Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State’s diplomatic mission or consular post.”
Data transfers
Chapter 5 (Art. 44-50) deals with transfers of data from the EU either to third countries or international organizations, either while undergoing processing or after. Transferring data outside of the EU requires measures beyond the standard ones, particularly for data protection, and often requires a specific adequacy decision (Art. 45).
Adequacy decisions enable ongoing data processing between entities, so additional authorization is not required on a regular basis unless the terms of the original agreement change: “where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”
Adequacy decisions most commonly exist between countries, but can exist with international organizations as well. For example, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been deemed adequate for data transfers with the EU.
When assessing adequacy, some of the conditions considered include relevant legislation, the rule of law and human rights record, public security, access to personal data by public authorities, data protection rules, existence of independent supervisory authorities, and other international commitments the third country or organization has entered into.
The GDPR requires that adequacy decisions are periodically reviewed, at least every four years. However, they can be repealed, amended, or suspended at any time if new information demonstrates that the third country or organization no longer guarantees an adequate level of data protection.
Data can still be transferred to a third country or international organization without an adequacy decision in place, but only if the controller or processor has provided appropriate safeguards (Art. 46) and can abide by and enforce data subject rights.
Absent an adequacy decision or confirmation of appropriate safeguards, data transfers can still be done, but only under the following circumstances (Art. 49):
- the data subject has been informed of possible risks of the transfer and lack of adequacy decision or appropriate safeguards, and has explicitly consented
- the transfer is necessary for performance of a contract between the controller and the data subject
- the transfer is necessary for performance or conclusion of a contract between the controller and another legal/natural persona and is in the data subject’s interest
- important reasons of public interest
- establishing, exercising or defending legal claims
- to protect the data subject’s or other persons’ vital interest where the data subject is physically or legally incapable of giving consent
- the transfer is, for a particular case, made from a register intended to provide information to the public, is open to consultation by anyone who can demonstrate a legitimate interest, and within the laws of the EU or member state
Penalties and enforcement under the General Data Protection Regulation
There are two tiers of penalties for GDPR violations, with conditions for levying them outlined in Art. 83.
In the first tier of penalties, infringement of the following provisions are subject to fines up to € 10 million, or up to 2 percent of the total worldwide annual turnover (gross revenue) for the preceding financial year, whichever is higher, for violations of:
- the obligations of the controller and the processor (Art, 8, 11, 25-39, 42 and 43)
- the obligations of the certification body (Art. 42 and 43)
- the obligations of the monitoring body (Art. 41)
In the second tier of penalties, for more egregious violations, infringement of the following provisions are subject to fines up to € 20 million, or up to 4 percent of the total worldwide annual turnover (gross revenue) for the preceding financial year, whichever is higher, for violations of:
- the basic principles for processing, including conditions for consent (Art. 5, 6, 7 and 9)
- the data subjects’ rights (Art. 12–22)
- the transfers of personal data to a recipient in a third country or an international organisation (Art. 44–49)
- any obligations pursuant to Member State law adopted under Chapter IX
- non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority (Art 58) or failure to provide access in violation of Art. 58
General Data Protection Regulation and other international privacy laws
There are a number of international privacy laws that predate the GDPR, including Canada’s PIPEDA and South Africa’s Protection of Personal Information Act (POPIA). As aforementioned, PIPEDA is considered adequate to enable data transfers. The GDPR garnered global attention when it was implemented, and it has served as an influence and a template for legislation in many places since.
While the penalties for violations are less severe, Brazil’s Lei Geral de Proteção de Dados Pessoais / General Data Protection Law (LGPD), which came into effect in 2020, is quite similar to the GDPR.
The United States does not yet have a federal privacy law or a North American regional law with major trading partners (like Canada and Mexico), only three state-level laws to date. The EU used to have the EU-US Privacy Shield framework as an adequacy decision to enable data transfer with the US, but it was struck down by the European Court of Justice in 2020. No replacement agreement has yet been put in place.
When Japan’s Act on Protection of Personal Information (APPI) was updated in 2017, it became extraterritorial, like the GDPR. Japan and the European Commission have reached a mutual adequacy agreement.
India’s Personal Data Protection Bill (PDPB) was introduced to parliament in December 2019. It is modeled after the GDPR in some ways, including regarding consent requirements, the “right to be forgotten”, breach notification requirements and comparable penalties for violation. There is, however, more discretion given to the Indian government to determine enforcement, it includes a seventh legal basis, and categorizes financial data as “sensitive” personal information, which the GDPR does not.
United Kingdom and the General Data Protection Regulation
The GDPR applied to the UK as an EU member state until its exit from the Union in January 2020. As a result, the UK has had to establish its own data protection law, known as the UK General Data Protection Regulation. The UK’s national data protection authority is the Information Commissioner’s Office (ICO), which oversees the UK GDPR as well as the earlier Data Protection Act 2018, among other laws. The EU does now have an adequacy decision with the UK to enable flow of data.
Conclusion
Technology continually evolves, requiring privacy law to evolve with it. The GDPR has been updated several times since it came into effect in 2018, and we can expect further changes in the future. Will third-party cookies go extinct? How will children be protected from social apps harvesting their biometric data? How will AI be utilized and regulated? These are just a small sample of questions that regulators, companies, and citizens will have to address, and that will have to be reflected in the regulation at some point.
Geopolitical changes like the UK’s exit from the European Union and the EU-US Privacy Shield framework being struck down will also affect the GDPR and millions of citizens and companies. The regulation remains a work in progress both for the authorities that review and enforce it, and for companies that need to prioritize compliance while balancing it with revenue goals and building customer relationships. But noncompliance is no small concern. Since 2018 the fines levied for violations amount to billions of Euros.
Fortunately there are tools, such as those for consent management, to help companies navigate GDPR requirements and communicate them to users.
If you have questions about how the GDPR affects your business, or about consent management for websites and apps, we’re happy to help. Contact one of our experts!