2016 EU GDPR: Goals, Impact and involved parties
In our first part we quickly introduced some of the main topics regarding the new EU General Data Protection Regulation (EU-GDPR), but havent further explained the details of the new rules. Within this second part we would like to dice deeper into the topics by starting with
- Starting position
- involved parties
Within directive 95/46/EC, the European Parliament and the Council already planned to harmonize the data protection laws within the EU in 1995. Because of the form of a directive (and not a regulation as what we have now), it did not succeed, and the way data protection is implemented across the Union it has become even more fragmented.
Under the impression of several decisions from the European Court and publications related to data privacy, the European Parliament, the Commission and the European Council reached an agreement in a so called 'Trilog': A new regulation on the 'protection of individuals with regard to the processing of personal data and on the free movement of such data'.
The objectives and principles of the Directive 96/46/EC remain sound, as it is stated in the considerations around the new regulation. Also stated in it are a few reasons, why this Directive did not reached the goals. The new regulation therefor should help to reach the following goals
- binding rules for the whole EU
- Individuals should get more control over their personal data
- the rules should help to set global standards
- Harmonize and simplify the rules regarding this in the EU
- enforcability of these rules
As already stated, we are dealing now with a 'regulation', not a directive any more. As such, it is a binding law with immediate validity as it is also stated in the Article 91: 'This Regulation shall be binding in its entirety and directly applicable in all Member States.'
Because of this legal nature the EU-GDPR will replace national regulations on Data Protection very soon, although special escape clauses are to be expected for some countries.
The regulation will be effective with its publication in the Offical Journal of the EU, which is to be expected in Q2/2016. After a transition period of 2 years, it will activating itself fully, finally replacing national regulations and requiring everyone doing business in the EU to comply with its rules.
Central view point is the 'affected person' (someone residential in the EU), whose personal data is processed by a Controller, or by a Processor assigned by the Controller. The data might be transfered to a third party as well.
This means: It does NOT matter, if third party, controller or Processor is NOT EU established.
Controller and Processor have to make sure to process the data according to the regulation, and they have to be able to proof it.
Evidance showing the inefficiency of the old 1995 directive is also shown by a recent paper published by two scientists from Universities Hamburg and Siegen (Germany).
Stay tuned for the next part in our series!