GDPR (Part 1):
Introduction to GDPR
What is GDPR?
GDPR stands for General Data Protection Regulation, and is a set of data privacy regulations implemented by the EU Parliament on April 14, 2016 (“GDPR”). GDPR is designed to harmonize data privacy laws across Europe, and generally sets forth requirements with respect to how information related to individuals may be collected and used.
To Whom does GDPR Apply?
GDPR applies to all entities who “process” “personal data” related to individuals residing in the European Economic Area. As a result, the vast majority of entities which sell products or provide services to individuals located in the European Economic Area are subject to GDPR.
The concepts of “processing” and “personal data” are at the core of GDPR, and a determination of whether GDPR applies to a particular entity:
- “processing” is defined in Article 4 of GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”; and
- “personal data” is defined in Article 4 of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Such definitions are broad, and “personal data” generally includes all information which can be linked to a specific individual. Moreover, “processing” covers almost all uses of personal data.
Why is GDPR important? And What Does it Mean for the Future?
Almost every service we use – from retailers to email providers and social media networks – requires the collection and processing of our personal data. Entities may collect, store, and use a variety of personal information we provide, such as names, addresses and credit card numbers.
In recent years, the accelerated aggregation of personal data has led to the most serious data breaches in history, such as the 2017 and 2018 breaches of Equifax, Facebook, and Aadhar, which collectively affected more than 1.25 billion individuals. But GDPR seeks to ensure personal information is protected against not only those who would seek to use it maliciously, but also against the entities which collect it.
In early 2018, Facebook lost more than 100 billion dollars in share value in a matter of days when news of the Cambridge Analytica data scandal broke. Facebook shared with Cambridge Analytica personal information related to an estimated 87 million users, without their consent. In March 2018, just two months before GDPR came into effect, Google released findings that between 2015 and 2018 its Google+ social network contained a glitch allowing developers to access the personal “Google+” profile data of countless users.
The litany of data breaches and the frequent misuse of personal information has not gone unnoticed, even in the US. Largely in response to the misuse of personal data by big-tech companies such as Google, Facebook, Amazon and others, various states are implementing their own regulations applicable to personal data and cyber security. For instance, the California Consumer Privacy Act will be effective January 1, 2020, and the New York State Legislature’s Cybersecurity Regulations went into effect March 1, 2019.