The recent Facebook Cambridge Analytica scandal made us realise how much strong data protection rules are important for the society as a whole, including for the very functioning of the democratic process. These and other developments have shown that the protection of privacy, as a central individual right and a democratic imperative, but also as an economic necessity is crucial: without consumers’ trust in the way their data is handled, our data-driven economies will not thrive.
The General Data Protection Regulation (GDPR), which entered into application on 25 May, is the European Union’s response to these challenges and opportunities. It seeks to create a virtuous circle between better protection of privacy as a fundamental right, enhanced confidence of consumers in how the privacy and security of their data is guaranteed, in particular in the online world, and economic growth.
While building on foundations that have been in place for more than 20 years, under a previous Directive of 1995, the GDPR contains important innovations. Many of these changes are particular relevant to foreign companies doing business in Europe. They will now offer their goods and services in a harmonised and simplified regulatory environment. Instead of having to deal with 28 different data protection laws and 28 different regulators, one set of rules will apply and will be interpreted in a uniform way throughout the continent. Obligations to notify data processing operations or obtain prior-authorization from data protection authorities will be scrapped. A number of key concepts are clarified and adapted to the needs of the digital economy. International data transfers from the EU will be simplified and facilitated. All this will mean increased legal certainty and a significant reduction in compliance costs and red tape.
The GDPR is also based on a modern approach to regulation which rewards new ideas, methods and technologies to address privacy and data security. The principles of data protection “by design” and “by default” will create incentives to develop innovative solutions from the earliest stages of development. The so-called “risk-based approach” means that companies that limit the level of risk of their processing operations will not be subject to a number of obligations. Co-regulatory tools, such as codes of conduct or certification mechanisms, are introduced to help companies managing and demonstrating compliance. Last but not the least, new rights and safeguards, such as the right to portability or the notification of data breaches, will put individuals in better control of their data. Empowering consumers means also ensuring that they feel safer and more confident when sharing their data. These are just a few examples of how the effective protection of a fundamental right can go hand in hand with unleashing the full potential of the digital economy.
These developments are of course not limited to Europe. Today, more than 120 countries, from almost all regions of the globe, have data privacy law in place. And many of the new or modernised laws tend to be based on common elements: a comprehensive legislation (rather than sectorial rules), a set of enforceable rights, the setting up of an independent supervisory authority, etc. While improving the level of protection of personal data when transferred abroad, this developing convergence offers new opportunities to facilitate trade as well as cooperation between public authorities, both of which increasingly rely on the exchange of personal data.
The European Commission is committed to intensifying its dialogue with its international partners in this area, to promote and further develop elements of convergence between privacy regimes. This includes the possibility of adopting adequacy findings allowing unhindered data flows, as currently being discussed with Japan and South Korea. It involves contributing to the elaboration of much-needed international standards such as in the framework of the Council of Europe’s Convention 108 which has an increasingly universal membership. Fostering convergence also means learning from each other through the exchange of experience and best practices. This type of dialogue is essential in our interconnected world if we want to address challenges that are increasingly global in nature and scope.