General Data Protection Regulation
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation of EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8 (1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA area. The main objective of the GDPR is to improve individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Replacing the Data Protection Directive 95/46/EC, the Regulation contains provisions and requirements relating to the processing of personal data of individuals (formally referred to as data subjects in the GDPR) located in the EEA, and applies to any business - regardless of its location and the nationality or residence of data subjects - that is processing the personal information of individuals within the EEA.
The GDPR was adopted on 14 April 2016 and became enforceable from 25 May 2018. As the GDPR is a regulation, not a directive, it is directly binding and enforceable, but provides flexibility for certain aspects of the regulation to be adapted by individual Member States.
The regulation has become a model for many other laws around the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina and Kenya. As of 2021, the UK maintains the law in identical form despite no longer being an EU member state. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities to the GDPR.
The GDPR 2016 has eleven chapters, covering general provisions, principles, data subject rights, duties of data controllers or processors, transfers of personal data to third countries, supervisory authorities, cooperation between Member States, remedies, liability or sanctions for breach of rights, and various final provisions.
The Regulation applies if the data controller (an organisation that collects data from EU residents), or the processor (an organisation that processes data on behalf of a controller such as cloud service providers), or the data subject (person) is based in the EU. In certain circumstances, the Regulation also applies to organisations based outside the EU if they collect or process the personal data of individuals located within the EU. The Regulation does not apply to the processing of data by a person for a "purely personal or domestic activity and therefore with no connection to a professional or commercial activity." (Recital 18)
According to the European Commission, "Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you must consider whether the individual is still identifiable. You should consider the information you are processing together with all the means that can reasonably be used by you or any other person to identify that individual'. The precise definitions of terms such as 'personal data', 'processing', 'data subject', 'controller' and 'processor' can be found in Article 4 of the Regulation.
The Regulation does not purport to apply to the processing of personal data for national security or EU law enforcement activities; however, industry groups concerned about addressing a potential conflict of laws have questioned whether Article 48 of the GDPR could be invoked to seek to prevent a data controller subject to the laws of a third country from complying with a lawful order of that country's law enforcement, judicial or national security authorities to disclose an EU person's personal data to those authorities, regardless of whether the data resides within or outside the EU. Article 48 states that any judgment of a court and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognised or enforced in any way, unless it is based on an international agreement, such as a mutual legal assistance treaty in force between the requesting (non-EU) third country and the EU or a Member State. The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector that provides rules on personal data exchanges at State level, Union level, and international levels.
A single set of rules applies to all EU member states. Each member state establishes an independent supervisory authority (SA) to hear and investigate complaints, sanction administrative offences, etc. SAs in each member state co-operate with other SAs, providing mutual assistance and organising joint operations. If a business has multiple establishments in the EU, it must have a single SA as its "lead authority", based on the location of its "main establishment" where the main processing activities take place.