What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation is a proposed European Union regulation. The European Commission released its proposal in January 2012. The regulation will apply uniformly across Europe and will govern what governments and companies are allowed to do with citizens’ data. Are they simply allowed to save personal data (e.g. names, email addresses, location data, bank details, social network posts, medical data and lots of other data)? For what purposes may the data be used? Is it permissible to pass the data on to third parties? And must citizens always give prior consent? After almost four years of consultations, many observers expect that the Commission will soon reach an agreement with the European Parliament and Council on these and many other issues, and pass the regulation some time this year.
Why do we need the General Data Protection Regulation?
Data protection is an important basic right – especially in the age of digitisation and Industry 4.0. The current directive dates back to 1995. That was the year in which Sergey Brin and Larry Page, the two founders of Google, met for the first time at Stanford University, and in which Facebook founder Marc Zuckerberg was just starting secondary school. A lot has happened since then. The EU therefore intends to modernise its data protection legislation and adapt it to the internet age.
The existing directive is also applied differently depending on the member state – which means the level of data protection differs among the EU member states. The new law will not be a directive, it will be a regulation. Regulations are directly applicable in every EU member state. They do not need to be transposed into national law. This will therefore eliminate discrepancies within Europe in the future.
What are the most important issues that the General Data Protection Regulation will cover?
The GDPR will comprise many regulations. The following regulations will be especially important for the German economy:
- A legal framework for the whole of Europe: the regulation will create uniform data protection rules that will be applicable throughout Europe. Companies will therefore have to comply with one law instead of 28. This will help to reduce costs. The European Commission estimates that companies will save approximately 2.3 billion euros per year as a result of the single set of rules. Small and medium-sized enterprises will be notable beneficiaries of this reduction in costs.
- A level playing field for everyone: the regulation applies to all companies that are either based in the EU or that process the personal data of EU citizens. That means that companies based outside Europe will also have to comply with GDPR rules in the future if they offer services in the EU. This creates the same conditions for all businesses operating in Europe.
- Central points of contact: companies and citizens will only have to contact one authority if they have questions or problems regarding data protection. This makes it easier and cheaper for companies to operate all across Europe. And in the future citizens will always be able to seek redress in their own language from their country’s national data protection authority, even if their personal data is processed outside their country.
What is German industry’s stance on the General Data Protection Regulation?
The BDI welcomes the legislative initiative, because it will modernise and standardise data protection law in the EU. Strong data protection will reinforce people’s trust in the digital world and eliminate competitive distortions between European companies and their competitors from other parts of the world. As the EU regulation is directly applicable, i.e. like a German law, there will be more legal certainty and uniformity in Europe than is the case today.