European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting
14 Pages Posted: 9 Jan 2017 Last revised: 18 Jan 2017
Date Written: January 5, 2017
This article discusses a few of the most important European data privacy law developments in recent history – perhaps the most significant since 1995 when the European Union adopted the Data Protection Directive. These include the adoption of the General Data Protection Regulation (GDPR), the invalidation of the U.S. – EU Safe Harbor cross-border personal data transfer framework in the Schrems decision, and the Safe Harbor’s subsequent replacement by the Privacy Shield. The latter allows transfer of personal data (such as data about employees and prospects) from the European Union to the United States, upon certification of commitments by participating companies, and provides guarantees from U.S. agencies and means of enforcement in case of violations.
The article also covers continuing developments concerning the “right to delisting,” which was applied in the 2014 Google Spain decision. Treatment of the GDPR, which will be applicable as of May 2018 (allowing companies time to prepare), includes its extended territorial scope, changes to personal data processing principles, provisions regarding storage of data for public interest, scientific, historical or statistical purposes, developments regarding legitimate bases for processing, including consent, increased data subject rights which will require companies to take action, as well as new compliance requirements which may include, when applicable, performing data protection impact assessments and/or hiring data protection officers. Furthermore, new record-keeping obligations, new requirements for data breach notifications, and higher administrative fines are detailed.
Keywords: European Union Data Privacy Law, Data Protection, Privacy, Data Privacy, Information Privacy, General Data Protection Regulation, EU Data Protection,Schrems, Safe Harbor, Privacy Shield, Transatlantic Data Flows, GDPR, Right to Delisting, Right to Be Forgotten Google Spain, Costeja, DPO, DPIA
JEL Classification: K1, K10, K2, K29, K33, K20
Suggested Citation: Suggested Citation