The European Parliament and European Council have introduced a unifying set of regulations for companies that collect personal data of the citizens of European Union. This was introduced as General Data Protection Regulations i.e. regulation (EU) 679/2016. These regulations will take effect from May 25, 2018 after the completion of a 2 year transition period. Once effective, these regulations will be binding on all the European countries, unlike directives-where countries are required to pass subsequent Legislations. Hence, these regulations will unify the laws related to Data Privacy across Europe.
GDPR also introduces a certain degree of simplicity in the framework of Data Protection laws for the Data Controllers and Data Processors. A central European Data Protection Board will be established under these regulations which will be responsible for the coordination of the Independent Supervisory Authorities of all the European States, which are also to be established. All the Data controllers and Data Processors will have a lead Supervisory Authority based on the location of their main operations. This entire system will work as a one stop shop for the Data Controllers and Data Processors.
Currently, there is some ambiguity regarding the Data Protection laws of European Union. This question of jurisdiction of the privacy related data regulations of European Union has come under discussion in many court proceedings.
The GDPR clarifies this ambiguity and makes it certain that all the companies that control or process the personal data of the subjects who are the citizens of any European state come under the jurisdiction of these regulations. These regulations will be applicable to all such above stated companies regardless of their area of operation. Even if a company operates from outside of EU but controls or processes the personal data of its citizens, these regulations will apply to them.
Another ambiguity about the jurisdiction is clarified by a very precise definition of Personal Data. According to article 4 of these regulations:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
The companies which are primarily based in United Kingdom but control or process the personal data of the European Citizens also come under the jurisdiction of these regulations regardless of what happens after Brexit. However the status of the companies who are based in U.K, and only control or process the data of the citizens of U.K, remains unclear to this date.
General Data Protection Regulations give back the control to the European citizens over their personal data which is regularly collected by different companies for various purposes. In order to make this control effective there are some rights and options which are extended to the citizens under these regulations. Following are the main rights and options extended to the citizens:
These are some of the main rights and options which are extended to the citizens to provide them with an effective control over their personal data. All the Data Controllers and Data Processors are under an obligation to facilitate the citizens in the exercise of these rights.
There are multiple sanctions that can be imposed on companies failing to comply with these regulations. These sanctions range from regular data audits to million euros fines. These regulations also provide with the provisions under which organizations can be fined. This fine can be up to 4 percent of annual global turnover for preceding year or 20 million EUR, whichever is greater, in case of the breach of these regulations. This is the maximum fine that can be imposed for the most serious infringements such as not having the sufficient consent of the citizen for processing data.