The EU General Data Protection Regulation (GDPR) will become applicable on 25 May 2018 and will lead to important changes in data protection laws both within the EU and the European Economic Area and third countries: It will apply to entities worldwide that provide goods and services to individuals in the EU, and operators of online platforms or websites that are accessible from the EU.
Until now, US companies offering their services in the EU were shielded from some aspects of the EU data protection laws through the so-called “home country principle”. However, the GDPR introduces the “market place principle” which extends its territorial reach to every entity and individual doing business with the EU, even if the entity operates from a non-EU country.
The provisions of the GDPR include - inter alia – the following changes:
Data collection only for “specified, explicit and legitimate purposes”
As of 25 May 2018, personal data may only be collected for “specified, explicit and legitimate purposes”. This implies that if a company collects personally identifiable information from its customers for the purpose of processing a transaction, it will not automatically be allowed to use that information for any other purpose – for example advertising purposes.
Furthermore, the GDPR also sets stricter information requirements. Companies must provide its customers at a very detailed level with the legal basis for processing the data, as well as the duration of the storage, the criteria for the duration of the storage or the distribution to data processors. This means that companies must review all their legal information texts on data protection matters as soon as possible. It is to be assumed that the data protection authorities will examine these legal texts in order to assess the data protection compliance of the companies.
Consent and revoke
The major winners of the GDPR are consumers, since data processing activities of companies will be determined largely on customers’ permission. From which age a person can effectively grant such consent is up to the individual national regulation of the EU Member States. Article 8 GDPR mentions the minimum age of 13 years. However, a mere statement of the age in order to obtain admission may soon no longer suffice: The GDPR introduces inspection obligations regarding the age of companies’ potential customers.
The Right to be Forgotten
The GDPR also grants consumers the “right to be forgotten”, which might be more aptly called “the right to be extinguished”. Earlier, an affected person had the right to block personal search engine results. Now, under the GDPR he/she will have the right to have data deleted directly at the place of storage.
A real innovation to the existing data protection laws within the EU is the right of data portability. Consumers will be able to provide consent to have their personal data transferred to another company in a "structured, common, and machine-readable format". This means that – for example – a telecommunication provider will be obliged to transfer customer data to its competitor if the customer decides to enter into a new contractual relationship with the competitor.
The maximum fines stipulated in current data protection rules in Germany are up to EUR 300,000 per individual infraction. By contrast, the GDPR will impose fines of up to € 20 million or 4% of a group's total worldwide annual sales.