Right now, the GDPR is one of the, if not the, most influential and discussed privacy laws worldwide. Digital privacy is moving to the forefront of business practices more and more. And that's about time. 10 years after the Snowden files reached the earth's surface, we are still in the early innings of protecting our privacy.
Lately, authorities are taking a stance, and privacy NGO noyb is taking on the big guys (Facebook and Google), and everything seems to come to the EU privacy called the GDPR. This article elaborates more on this privacy law and tackles some general and important questions about it. What is the GDPR? When does it apply? How is it enforced?
- What is the GDPR?
- Does the GDPR apply directly?
- When does the GDPR apply?
- Who does the GDPR apply to?
- Who enforces the GDPR?
- Does the GDPR protect privacy?
- Who has rights under the GDPR?
- What are the principles of the GDPR?
- What data are personal data under the GDPR?
- What data are sensitive data under the GDPR?
- What data rights are protected by the GDPR?
- What are the duties under the GDPR?
- What are the fines under the GDPR?
- Does the GDPR require consent?
- Does the GDPR require consent for cookies?
- How does the GDPR regulate data transfers?
- Is the GDPR the only European privacy law?
- How do I comply with the GDPR?
Let’s find out!
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation of the European Union (Regulation (EU) 2016/679). It is the most important European privacy regulation and the core of the European data protection framework. The Regulation was approved in 2016 and came into force in 2018.
The GDPR aims to protect the data rights of individuals while encouraging the free flow of data. These aims are not easy to balance, and this is why the GDPR is a long and complex legislation with lots of principles, rules, and exemptions. But in a nutshell, the GDPR is about what can and cannot be done with personal data.
Does the GDPR apply directly?
Yes, because it is a Regulation. In European law, regulations oppose directives because they do not need to be implemented. On the other hand, directives do not apply directly and must be implemented through national legislation by the Member States.
The GDPR had a predecessor in the Data Protection Directive. The GDPR inherits many rules from the Directive, but it sets a stronger foundation for privacy rights across Member States because it is a regulation.
When does the GDPR apply?
The GDPR applies to every Member State of the European Union and the European Economic Area (basically the EU Member States, as well as Iceland, Liechtenstein, and Norway).
The GDPR also has an extra-territorial effect because it sometimes applies to companies and other entities outside the EU/EEA. The rules on the territorial scope of the GDPR are too complex, to sum up in a few words, but to grossly simplify, we can say that it applies to any company or service targeting a European market or audience. You can refer to gdprhub.eu for a more detailed and accurate explanation.
It should also be noted that the GDPR only applies to personal data.
Who does the GDPR apply to?
The GDPR applies to data controllers and data processors.
The data controller is the entity that “controls” the data processing- because it decides the means and purposes of the processing. On the other hand, the data processor is the entity that processes data on someone else’s behalf and follows their instructions. So, if a company uses a cloud service to store the personal data of employees, the company is a data controller, and the cloud provider is a data processor (while the employees are the data subjects).
Other scenarios are possible. If there are two or more controllers for a single processing operation, they are joint controllers. And if a processor works for another processor, they are a subprocessor.
The distinction between controller and processor is important because they have different obligations under the GDPR. It is also tricky: some cases are clear cut, but others are more complicated.
Who enforces the GDPR?
Both courts and data protection authorities enforce the GDPR.
Every EU and EEA Member State has a data protection authority (DPA), and some have more than one, like Germany. DPAs are administrative authorities acting under national law to enforce the GDPR and privacy law.
All DPAs are part of the European Data Protection Board, an EU institution coordinating the enforcement of the GDPR. The EDPB decides cross-border cases DPAs disagree upon. The Board is also quite active in issuing guidance which is non-binding but highly influential.
It is also possible to enforce the GDPR through the judiciary system of Member States. So, if your rights under the GDPR are violated, you can go to court and seek damages or file a complaint to your national DPA.
There are important differences between these two routes of enforcement. For instance, DPAs have no authority to award damages, and civil courts have no authority to issue fines. So courts and DPAs play different roles in enforcement.
Appeals work in a different way for courts and DPAs, but in both scenarios, a case can end up in the EU Court of Justice. The Court of Justice essentially has the last word on the interpretation of the GDPR. This is why DPAs, data lawyers, and national courts often refer to the Court’s case law when interpreting the GDPR. If you follow our blog, you probably lost count of the times we mentioned the Schrems II ruling- we sure have!
Does the GDPR protect privacy?
Kind of. To be exact, it safeguards the right to data protection. Privacy and data protection are often used as synonyms. We do it, too, sometimes, for the sake of readability. But the European Charter of Fundamental Rights recognizes them as distinct human rights, so the two are not exactly the same under EU law.
The distinction between privacy and data protection may seem strange initially but it makes sense from a practical perspective. To exercise your rights under the GDPR, you do not need to prove that some intimate information was revealed or that your private sphere was invaded in any other way. If someone processes your personal data, you simply have rights under the GDPR. So the distinction between privacy and data protection makes it easier to exercise your rights, and that’s what really matters.
Who has rights under the GDPR?
Every person in Europe has rights under the GDPR, regardless of their residence or citizenship. This means that EU and non-EU citizens have the exact same rights under the GDPR as long as they are in the EU/EEA. On the other hand, an EU citizen doesn’t enjoy any data rights under the GDPR when they are outside the Union/EEA.
Additionally, every person has rights under the GDPR, wherever they are, as long as their data are processed in Europe. For instance, a French company that exclusively processes data of Japanese residents is still bound by the GDPR.
What are the principles of the GDPR?
Most of the GDPR’s principles are found in Article 5:
- data must be processed lawfully, fairly, and transparently (lawfulness, fairness, and transparency principles)
- data must be collected for a specific purpose and must be adequate to that purpose (purpose limitation)
- data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization- we wrote about this)
- data must be accurate and kept up to date (accuracy)
- data must be erased or anonymized as soon as they are not needed anymore (storage limitation)
- data must be processed in a secure and confidential way to prevent data breaches (integrity and confidentiality)
- if you process personal data, you are responsible for demonstrating your compliance with all these principles (accountability).
What data are personal data under the GDPR?
Personal data are any information relating to an identified or identifiable natural person (a data subject in the GDPR).
In legalese, a natural person is a person in the common sense of the word. So individuals have rights under the GDPR, while public and private organizations do not. The deceased also have no rights under the GDPR.
Data do not need to be privacy-invasive to receive protection- they just need to be related to someone. It wouldn’t be the end of the world if you learned that I had coffee this morning, but this information is still personal data because my name is on top of this blog.
The definition of personal data looks simple enough, but it really isn't. "Identifiable” is the slippery part. According to the GDPR, a data subject is identifiable when they can be singled out- that is, when data can be referred to them individually. It is not necessary for the data to reveal the data subject's identity, in order to count as personal data.
For instance, some cookies contain unique identifiers, which are randomly generated strings of letters and numbers. These strings contain no information on the data subject's identity, but their unique nature makes them personal data under the GDPR because each string refers to a single user.
The definition of personal data has other important consequences. Certain data may not identify a person independently, but might do so when combined with other data (think of the way some websites fingerprint users based on device data). This can make the data personal under the GDPR. Anonymized and aggregate data present similar issues with re-identification.
Bottom line, the notion of personal data is a big can of worms. We can't go any deeper here, but if you’re curious, the gdprhub offers some valuable commentary on the topic.
What data are sensitive data under the GDPR?
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data about someone’s sex life or sexual orientation are all treated as sensitive data by the GDPR.
The GDPR sets out specific and stricter rules for processing sensitive data.
What data rights are protected by the GDPR?
They are quite a few. Most of them are meant to give people some control over their data. For instance, you can request the erasure or correction of your data, can request access to them, and have a right to receive some basic information on the processing of their data. In some situations you can also object to the processing of your data or revoke your consent to the processing.
What are the duties under the GDPR?
Every right of the data subject entails a duty of the controller. So, when you exercise your right to have your data erased, the data controller has a duty to delete them, and so on.
Data controllers also have duties with no direct counterpart among the data subject’s rights. For instance, controllers must process personal data lawfully, must not store them for longer than needed, must process them securely, and must notify data breaches to data protection authorities. These are all general duties under the GDPR, and controllers must fulfill them even if the data subjects do not require them to.
Controllers must also be able to show that they are complying with the GDPR. This is known as the accountability principle.
Data processors also have duties, but most of them are different from those of a controller. This makes sense because they follow instructions and don’t have as much decision-making power as the controller of the data.
What are the fines under the GDPR?
The GDPR has a reputation for scary fines. Sanctions are capped at €20M or 4% of a business’s global annual turnover, whichever is the highest. The current record holder is Amazon, with a €746 million fine, and we recently discussed two fines issued against Meta for a total of €390M.
(Update: Meta was fined for €1.2 billion! and now holds the record!)
Compliance can be costly, but fines are tailored on a case-by-case basis. Small businesses that made an honest mistake and large companies trying to game the system are treated differently. And DPAs typically try to work with companies toward compliance rather than issuing big fines left and right. They look favorably at companies that collaborate with the investigations and take steps to address compliance issues, even if they only do so after a complaint was filed.
Does the GDPR require consent?
No, the GDPR does not require consent. Not always, at least.
We wrote a blog about consent already, so here is a condensed explanation: under the GDPR, data can only be processed for a reason. Every data processing operation needs a legal basis- essentially, a justification. Consent is one of these justifications. The GDPR includes five more, such as legitimate interest or a legal obligation.
So the most correct answer to the question is that it depends. The notion that the GDPR always requires consent is wrong. But you always need a legal basis for processing data. This could be consent or something else (such as a legal obligation or the performance of a contract). And there are indeed cases where consent is the only option because no other legal basis applies to the specific scenario at hand- but that is not a general rule.
Does the GDPR require consent for cookies?
It depends. Necessary cookies, such as security cookies, do not require consent. On the other hand, non-necessary cookies, such as analytics and marketing cookies, always require consent. This is why you see so many cookie banners when browsing.
This is not because of the GDPR. Cookies fall under the ePrivacy Directive, and the Directive requires consent for cookies. On a side note, the Directive also covers technologies similar to cookies, such as advertising trackers on devices (we recently covered an interesting case about this issue).
How does the GDPR regulate data transfers?
In principle, data should be transferred safely outside Europe. To ensure this, the Regulation sets out a complex system of rules for data transfers. We discussed this topic in depth, but in a nutshell, whenever you transfer data to a third country, you need to rely on one of several compliance mechanisms listed by the GDPR, all of which are meant to act as safeguards for the data.
This is complicated for the US because of the extent and invasiveness of State surveillance over foreign data. The risk of surveillance is the reason the European Court of Justice invalidated an existing mechanism for data transfers between the EU and the US (the Privacy Shield) in the 2020 Schrems II ruling. Overall, the ruling makes it quite difficult to comply with data transfer rules when sending data to the US.
Schrems II is at the heart of Google Analytics’ issues with data transfers and is the reason why Google Analytics was practically banned in Austria, France, Italy, Denmark, and Finland (as well as Norway, althought the decision is only preliminary). Schrems II is also the reason Meta was fined for €1.2 billion and is currently risking a Facebook blackout in Europe.
But the issue is bigger than Facebook and Google Analytics. In the future it may involve other service providers, including key services such as AWS, Oracle, and Microsoft Azure.
This is why the EU Commission is working on the Trans-Atlantic Data Privacy Framework, a new system to facilitate EU-US data transfers. But it is not clear whether the new framework will solve the problems of the Privacy Shield. And at some point, the Trans-Atlantic Data Privacy Framework will surely challenged in the Court Justice as well (likely by Mr. Schrems himself).
Bottom line, the future of EU-US data transfers will remain uncertain until we get a "Schrems III" decision.
Is the GDPR the only European privacy law?
No. The GDPR is crucial for EU privacy law, but there are other important sources as well.
We already mentioned one of them: the ePrivacy Directive. The Directive mostly addresses the providers of communication services, such as telecom companies and Internet providers (but the cookie rules we mentioned have a wider scope). An ePrivacy Regulation is in the works and is meant to replace the Directive, much like the GDPR replaced the old Data Protection Directive.
The Law Enforcement Directive is another piece of the puzzle. It deals with criminal investigations and criminal justice and was drafted and approved in parallel with the GDPR. The Directive’s subject matter falls outside the scope of the GDPR, so the two sources complement each other.
Other sources of EU law are not privacy laws but impact privacy rights. The recent Digital Markets Act and Digital Services Act are two notable examples.
On a higher level, the Charter of Fundamental Rights of the European Union protects the rights to privacy and data protection. The Charter has the same legal status as the Treaties that establish the Union: it is one of the highest sources of EU law and “trumps” Directives and Regulations.
The European Convention on Human Rights also recognizes privacy as a fundamental right. The Convention is not technically a part of the EU legal framework but is influential in EU law nonetheless. The same goes for the case law of the European Court of Human rights- a Court that enforces the Convention and is not an institution of the EU.
How do I comply with the GDPR?
There is no single catch-all answer. There is no comprehensive checklist, either. Every compliance strategy needs to be tailored to a specific scenario and account for the types of data, the purposes for which they are processed, the scale of the data processing, and so on. A good compliance strategy must involve all stakeholders within an organization and requires a good understanding of the way data are processed, which is not trivial (yes, Meta, I’m looking at you).
That being said, Article 5 GDPR sums up most of the principles behind the GDPR, so you could use it as a starting point to ask yourself the right questions. For instance:
- what legal basis do I have for processing personal data?
- am I providing sufficient information to my customers or any other person the data refer to? Do they understand what I do with their data and why I do it, at least in very general terms? Do they understand what their rights are and how to exercise them?
- do I collect data with a clear and specific purpose in mind?
- do I really need all these data? Are there any I could erase or anonymize? Am I storing data for longer than needed?
- is there anything I can do to mitigate the risk of a data breach? Can I improve the technical security of my systems? Can any of my staff access personal data they don’t really need?
- can I explain what makes my data processing compliant? And can I document these reasons?
These are not easy questions, but keeping them in mind is a good first step, even if you don’t have all the answers yet.
Other than that, make sure you are using consent the right way. Consent is sometimes seen as a silver bullet for compliance, but there are limits to what consent allows you to do and scenarios where relying on consent does not work. Our blog can give you a quick overview of how consent works under the GDPR.
Finally, you are using Google Analytics, moving to a different service for web analytics will be a step toward compliance. Of course there is much more to compliance, but ditching Google Analytics is the low-hanging fruit for many organizations.
We are passionate about privacy. This is why we do our best to cover privacy news and discuss privacy law in an accurate and accessible way. We believe that privacy law concerns us all and should not be the domain of lawyers and speakers of legalese.
We also believe that the Internet could be a better, more privacy-friendly place. This is why we built Simple Analytics. We are proud to provide our customers with all the insights they need, without tracking users and without collecting personal data. If this sounds good to you, feel free to give us a try!