Once upon a time, there was Directive 95/46/EC: this piece of legislation represented a laudable effort of the European Union to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States.
However, digitalisation, globalisation and service outsourcing towards third countries have completely changed the framework against which legislation operates. Technologies currently allow public authorities and private companies to collect, process and share an unprecedented amount of personal and sensible data. This development represents an opportunity for these subjects to pursue their goals in an efficient manner, but at the same time building consumers’ trust is a key to economic development in a digital world. Because of these opposing interests, it became necessary to achieve a correct normative balance between granting the efficient flow and processing of personal data on the one hand, and ensuring the adequate protection of data subjects on the other hand. Therefore, data protection represents a milestone for the development of the digital single market as a part of the Digital Agenda for Europe.
On 24 May 2016, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data –known as General Data Protection Regulation – has entered into force to meet these reform necessities. This Regulation is the result of thousands of amendments and of lengthy negotiations between the Commission, the Council and the Parliament, which started in 2012. From 25 May 2018, the Regulation will directly apply to the Member States’ national legal systems and repeal the out-of-date 1990s Directive. The GDPR does not apply to the processing of personal data by national authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties: indeed, these matters will be covered by Directive (EU) 2016/680, that will grant Member States a higher degree of regulatory autonomy.
CONTENT AND DIFFERENCES FROM 95/46 DIRECTIVE
One of the main objectives of the GDPR was to promote harmonisation between legislations on data protection across the Union. Harmonisation is especially essential considering that digitalisation makes the world “borderless”: as a consequence, granting equal levels of protection facilitates the free flow of data, thus avoiding competitive distortions and obstacles to economic development. This objective was not sufficiently achieved by Directive 95/46/EC, which left a greater implementation autonomy to Member States and therefore caused an excessive differentiation between levels of data protection. Therefore, even if the GDPR leaves States some leeway to specify or restrict certain obligations, these options are limited and the level of harmonisation that it will attain starting from 2018 is quite high.
A second significant difference between Directive 95/46/EC and Regulation 2016/679 concerns the territorial scope of application of EU Regulation. The territorial reach of the Data Protection Directive was defined by the place where the processing of personal data took place and was characterised by a tight connection with the European Union territory. Conversely, the GDPR expanded its scope beyond the borders of the EU: indeed, Article 3 states that the Regulation applies (a) in the context of the activities of controllers and processors established in a Member State, regardless of whether the processing takes place within the EU territory; and (b) to controllers and processors that are not established in the Union, but process data of subjects who are in the EU territory while offering goods or services or monitoring the behaviour of EU data subjects within the Union.
The Regulation also makes the conditions for expressing consent – that is the element around which the EU data protection system revolves – more rigorous. Directive 95/46 allowed for the existence of both opt-in and opt-out consent regimes. Even if some argue that neither opt-in nor opt-out would grant sufficient protection to the data subject because of the general negligence demonstrated by the general public as far as consent is concerned, an opt-in regime is undoubtedly more protective with respect to the rights of individuals. For this reason, the General Data Protection Regulation has excluded the possibility of to adopt an opt-out regime and has exclusively retained the explicit opt-in regime; moreover, it established that consent must be freely given, specific, informed and unambiguous, and created special rules for consent to automated profiling activities and data subjects under 16 years old.
Differently from Directive 95/46, the Regulation introduces the definition of new categories of personal data – that is genetic, biometric and pseudonymous data – and further specifies the contents of the information that the data controller shall provide at the time of consent.
A particularly interesting area of reform concerns the rights granted to the data subject. Indeed, GDPR introduces a provision addressing the right to be forgotten/to erasure that has been much debated by ECJ jurisprudence like Google Spain. Indeed, Article 17 establishes that, under some grounds and with some limitations, the data subject has the right to obtain from the controller the erasure of its personal data with undue delay.
Moreover, Article 20 introduces the right to portability of personal data, which means that data controllers and processors are obliged, upon request of the data subject, to provide it with its personal data in a digital, structured and commonly used format in order for them to be transferred to another electronic processing system.
The GDPR is much more precise than the Directive also with reference to the obligations of subjects who process or control personal data. While the Directive imposed light obligations on the data controller, the Regulation now provides that it shall carry out data protection impact assessment, document processing, enact a self-assessment and adopt other measures; moreover, data controllers must notify data breaches to the DPA within 72 hours. Moreover, Article 25 of the Regulation provides that the data controller shall respect both privacy by design – which means taking privacy into account throughout all the processing of personal data and at the time of determination of processing means – and privacy by default principle – which establishes that data controllers shall process personal data exclusively to the extent and for the period necessary to reach the specific objective. Also, the obligations of the data processor and its relation with the data controller are specified more precisely than in the 95/46 Directive: for example, the data processor is directly accountable and has several obligations. The GDPR also provides for the existence of the Data Protection Officer, a figure that was not present in Directive 95/46: this expert shall be designated where the processing of data is made by public authorities or if the activity of the controller consists of a systematic monitoring of data subjects on a large scale or a large-scale treatment of sensitive data.
Moreover, Member States are required to establish a Supervisory Authority that will deal with complaints, investigations and sanctions. In case of MNEs established in more than one EU Member State, there will be a single leading SA supervising all the activity of this operator throughout the Union, that is the so-called “one-stop-shop”. The national Authorities will collaborate and will be coordinated by a European Data Protection Board, that will substitute the current Article 29 Working Party.
Administrative sanctions are one of the most criticised aspects of the Regulation, as they can reach the higher between 20 million euros or the 4% of the worldwide annual turnover of the previous financial year for some types of infringement. Other infringements of the GDPR cause a fine up to the higher between 2% of annual worldwide turnover and 10 million euros. Despite the criticism received by Article 83, it seems that this provision will be quite effective in deterring breaches of the Regulation.
Finally, and despite the expectations, the GDPR is not revolutionary about the transfer of data to third countries. As in Directive 95/46, extra-EU data transfers are prohibited unless some conditions are met. In particular, data transfers shall be made only towards an adequate jurisdiction. The adequacy of the third country legal system is evaluated by the EU Commission on the basis of the elements established by Article 45(2) GDPR, that are more precise than those provided under the Directive. Adequacy decisions taken under the Directive will remain into force until they are amended, repealed or confirmed by those carried out under the GDPR, that must be reviewed every 4 years. At some conditions, transfer of data to third countries may also be allowed on the basis of agreements between public authorities, model clauses approved by the EU Commission, DPA clauses, approved codes of conduct, approved certifications, ad hoc clauses, specific and informed consent of the data subject etcetera. Legally binding corporate rules conferring enforceable rights to data subjects will become the basis of the legitimisation of international intra-group transfers of data.
The GDPR has been welcomed with enthusiasm by some actors, but has also been strongly criticised by others. For example, it has been pointed out that the comprehensive adaptation process required by the Regulation could represent an excessive administrative and financial burden for both private actors and public authorities of the Member States. Moreover, it has been said that the EU trade and investment framework is not in line with the discipline of the GDPR. It has also been pointed out that the “one-stop-shop” strategy is likely to encourage forum shopping by MNEs. In any case, despite its possible flaws, the General Data Protection Regulation currently represents the most comprehensive and efficient data protection normative system designed so far.
- Commission Communication on the Digital Agenda for Europe, COM (2010)245;
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- Regulation (Eu) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 For example, employment and national security data may receive a different treatment.