Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age, 2nd Edition

General Data Protection Regulation

by J. N. Manuel

The General Data Protection Regulation (GDPR) is a regulation within European Union (EU) law designed to safeguard the storage and use of an individual’s data. Its scope covers “data controllers” (companies and organizations which collect and store data), “data processors” (an individual or organization which possesses data on behalf of the controller), and “data subjects” (individuals) based in the EU, giving the regulation’s theoretical application a reach far beyond the EU’s physical borders. Notably, GDPR does not apply to individuals who collect data privately, or for a “purely personal or household activity and thus with no connection to a professional or commercial activity.” Law enforcement and national security organizations are also exempt, and exceptions exist for scientific research and employee-employer relationships.

For the purposes of GDPR, the European Commission has stated that personal data is considered, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” In remarks given in May of 2018, prior to GDPR going into effect, Pierre Nicolas Schwab, chairman of the Big Data Initiative of the European Broadcasting Union, noted that even requesting an email address of an EU citizen for a paperless credit card receipt had the potential to create issues of compliance with GDPR for US-based companies.

GDPR consists of 99 articles, grouped within 11 chapters. Additionally, there are 171 “recitals” and explanatory remarks. An EU-wide data reform effort was first proposed in January of 2012.The GDPR was adopted by the EU Parliament and the Council of the European Union in April of 2016.It went into effect for member states in May of 2018, and in July GDPR became valid in all European Economic Area countries.

The goal of GDPR is to simplify data protection for individuals and safeguard the data rights of individuals providing them with greater “control” over the collection and use of their data. Companies that collect and store data would be required to attain an affirmative consent regarding what kind of data is collected and what it is intended to be used for. Additional protections exist for individuals under the age of 16, requiring someone of “parental responsibility” to opt into data collection on a minor’s behalf. Companies would also be required to inform individuals of a data-breach within 72 hours of their becoming aware of it.

For individuals, GDPR guarantees more safeguards on data usage and rights to personal data. Included in this is the right to see data a company may have collected, the right to opt out of data collection, and the right to have data deleted. For companies, GDPR mandates safeguards such as pseudonymization, restricting the transfer of data to a third (non-EU) country, and acquiring informed consent to data collection and usage from individuals. Further, it is incumbent on “data controllers” (the company or organization collecting the data) that any partner organizations with access to data (“data processors”) are also GDPR compliant.

The penalty for being found in violation of GDPR is 4 percent of a company’s annual global turnover, or 20 million Euros, whichever number is higher. In theory, both a “data controller” and “data processor” found to be in violation of GDPR could be penalized. Violations are enforced by the data regulation ministry of each member state, meaning that if a company is based in France and is found in violation of GDPR, it is up to the Commission nationale de l’informatique et des libertés (CNIL) to enforce the regulation and collect any pursuant fines. Companies can also appeal alleged violations.

While some have criticized the GDPR for having unclear compliance standards and creating burdensome requirements of companies that handle data, most data experts have agreed that the GDPR is necessary for both companies and consumers. Facebook creator Mark Zuckerberg said in May of 2018, “A lot of the philosophy that is encoded in regulation like GDPR is really how we’ve thought about a lot of this stuff for a long time.” The regulation has also been praised by whistleblower Edward Snowden and several consumer-protection organizations including the European Consumer Organization. Zuckerberg, however, declined to implement Facebook’s GDPR compliance standards globally.

Critics of the regulation have also argued that although GDPR guarantees access to data, many individuals will have trouble understanding and contextualizing the data collected on them.

Though companies had two years (from April 2016 to May 2018) to prepare for GDPR, many noted that individuals were informed haphazardly with emails regarding data policy changes arriving en masse between April and May of 2018.Moreover, the exact changes in policy were often hard to parse and the barrage of notifications led some user to describe the roll out as “notification fatigue.” Some even argued that the GDPR notifications may have violated the EU’s own anti-spam laws.

After the implementation of GDPR, some U.S. companies, including the Chicago Tribune and Los Angeles Times, began blocking EU-based users altogether. Others, like National Public Radio, redirected EU-based users to pared down versions of their websites, often with fewer data-driven advertisements, in an effort to comply with the regulation. A non-profit also sued Facebook within hours of the GDPR going into effect over its “all or nothing” consent policies, believing it to be in violation of the GDPR’s “particularized consent” model. As of January 2019, Google has been fined 50 million Euros by the French CNIL for having unclear data consent notifications in violation of GDPR. German Bundeskartellamt anti-monopoly regulators have also warned Facebook against combining information gathered through Facebook, Instagram, and Whatsapp (all of which are owned by Facebook), in violation of GDPR data consent regulations.

On 29 March 2019, barring an extension, the United Kingdom is expected to leave the European Union (a process popularly known as Brexit).Some have speculated as to whether or not Brexit will have an impact on British companies’ data protection practices.Due to the interconnectedness of British and European businesses, it is expected that GDPR-like regulations will be folded into British law to ensure as seamless a transition as possible.

Further Reading

1 

Brandom, Russell. “Everything you need to know about GDPR,” Web, The Verge, May 25, 2018. https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

2 

Brandom, Russell. “Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR,” Tech, The Verge, May 25 2018. https://www.theverge.com/2018/5/25/17393766/facebook-google-gdpr-lawsuit-max-schrems-europe

3 

Cunnane, Yvonne. “Why We Disagree With the Bundeskartellamt,” Facebook Newsroom (blog), February 7, 16, 2019. https://newsroom.fb.com/news/2019/02/bundeskartellamt-order/

4 

Hern, Alex. “What is GDPR and how will it affect you?,” Tech, The Guardian, May 21, 2018. https://www.theguardian.com/technology/2018/may/21/what-is-gdpr-and-how-will-it-affect-you

5 

Hern, Alex. “Privacy policies of tech giants ‘still not GDPR-compliant’,” Tech, The Guardian, June 4, 2018. https://www.theguardian.com/technology/2018/jul/05/privacy-policies-facebook-amazon-google-not-gdpr-compliant

6 

Porter, Jon. “GDPR makes it easier to get your data, but that doesn’t mean you’ll understand it,” Apple, The Verge, January 27, 2019. https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple

See also: Big data; Data protection regimes; Facebook; Google; Online privacy and security; Right to be forgotten

Citation Types

MLA 9th
Manuel, J. N. "General Data Protection Regulation." Privacy Rights in the Digital Age, 2nd Edition, edited by Jane E. Kirtley & Michael Shally-Jensen, Salem Press, 2019. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA2e_0106.
APA 7th
Manuel, J. N. (2019). General Data Protection Regulation. In J. E. Kirtley & M. Shally-Jensen (Eds.), Privacy Rights in the Digital Age, 2nd Edition. Salem Press. online.salempress.com.
CMOS 17th
Manuel, J. N. "General Data Protection Regulation." Edited by Jane E. Kirtley & Michael Shally-Jensen. Privacy Rights in the Digital Age, 2nd Edition. Hackensack: Salem Press, 2019. Accessed May 30, 2026. online.salempress.com.