EU Data Protection

In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the European Union (EU). In May 2016, the official texts of the Regulation and the Directive were published in the Official Journal of the European Union.

The General Data Protection Regulation (GDPR) introduces tough penalties for non-compliance, with breached organizations facing fines of up to 4% of annual global turnover or about $22 million dollars – whichever is greater.

The Regulation went into force on 24 May 2016 and shall apply from 25 May 2018. The English language version can be viewed at this web page.

The Directive entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. The English language version can be viewed at this web page.

According to the EU, the objective of these new rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritized. The reform will allow European citizens and businesses to fully benefit from the digital economy.

Whenever you open a bank account, join a social networking website, or book a flight online, you hand over vital personal information such as your name, address, and credit card number. What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?

Everyone has the right to the protection of personal data.

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organizations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities, and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.

The EU’s Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.

EU-US Privacy Shield

The new EU-US Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbor framework invalid.

The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.

You can view a Facts Sheet on the EU-US Privacy Shield at this web page.

You can view the entire Privacy Shield document at this United States Department of Commerce web page.