Author(s)
Chris Hoofnagle, Bart van der Sloot and Frederik Zuiderveen Borgesius
Source
Information & Communications Technology Law, Vol. 28, No. 1, pp. 65-98, 2019
Summary
Europe’s General Data Protection Regulation (GDPR) is the most important data protection regulation in decades, and will affect data processing world-wide. Under the GDPR, firms must develop detailed data processing policies.
Policy Relevance
Many firms based in the United States will be affected by the GDPR. GDPR regulators have expanded enforcement powers.
Main Points
- Europe’s GDPR extends and refines the data protection requirements imposed by Europe’s 1995 Data Protection Directive.
- The GDPR takes a different approach than US-based privacy law.
- U.S. law takes a sectoral approach.
- Generally, under U.S. law, data collection and use is presumed to be lawful unless specifically prohibited.
- The GDPR creates a detailed regulatory regime for privacy, and will affect the use, transfer, and storage of data worldwide.
- The regime may apply to firms that have no physical presence in Europe, if the firm offers goods or services, even free goods or services, to European residents.
- The rules will apply to U.S.-based firms that use cookies to track the behavior of European residents.
- Under the GDPR, firms are encouraged to develop governance frameworks specifically for information, to use data obtained and stored in-house, and to refer key decisions about data to human beings, rather than to automating information processing systems.
- The GDPR will advantage companies with direct relationships to consumers, compared to Internet-based third-party advertisers; benefitted firms will include news organizations and publishers now dependent on third-party tracking.
- The GDPR includes enhanced penalties and rules that facilitate proof of violations of data protection regulations.
- Under the GDPR, regulators may impose substantial fines.
- Unlike the Federal Trade Commission, Europe’s Data Protection Authorities are obliged to hear complaints.
- Consumers may bring class action suits to enforce their rights to limit data processing.
- Some information-intensive business models will be limited by the GDPR, and the GDPR will give rise to conflicts between large technology firms and Data Protection Authorities.