The European Union’s General Data Protection Regulation (GDPR) is a law that became applicable in May 2018. The GDPR strictly limits how database information is used and who has access to it. Some restrictions include registering all databases containing personal information with the countries in which they are operating, collecting data only with the consent of the subjects, and telling subjects of databases the intended and actual use of the databases. Before you start this week’s discussion, read the article below.
In your initial post, discuss the following:
What effect might these restrictions have on global companies?
Should the United States bring its laws into agreement with the European Union’s?
Discuss your rationale. What are the potential outcomes of instituting such a regulation in the United States?
Optional: In addition to answering these questions, reflect on 1 to 3 key takeaways from this course.
***ARTICLE*** :
The General Data Protection Regulation (GDPR) is a law within the European Union (EU) that requires businesses, governments, and other institutions to gather online consumer data in only legal, transparent ways and then store it safely and ethically so it cannot be misused or stolen. Data is any personal information that people submit to businesses, banks, or other groups online. It includes full names, addresses, credit card numbers, and other information.
Data breaches that result in this information being stolen can significantly harm individuals by exposing their financial or other private information. The GDPR requires all data-collecting organizations within the European Union and any organizations outside the European Union that conduct business with EU citizens to comply with its data protection mandates. Groups that fail to comply with the law by mishandling consumer data or not reporting data breaches can be fined millions of euros or taxed percentages of their annual global incomes. Upon its implementation in 2018, the GDPR was seen as a landmark in regulatory efforts regarding online privacy and data protection, with a significant global impact.
Background
The GDPR’s overall purpose of protecting consumer data is a chief concern of many organizations around the world in the twenty-first century. In the age of computers and digitized information, data protection is vital to ensuring that consumers’ identities, privacy, and finances remain secure from unauthorized viewing and theft.
Data in this context is personal information that organizations collect from consumers and store on computers. The information can be highly sensitive to individuals and is not intended to be seen by anyone other than the individuals themselves and the companies that collect and analyze the data. Many organizations collect consumers’ personal data, including retail companies, banks, hospitals, and governments.
Organizations may collect and store customers’ names, addresses, telephone numbers, email addresses, bank account information, credit card numbers, and medical histories. Other information organizations might gather from consumers includes race, ethnicity, sexual orientation, political affiliations, and criminal history.
Data collectors around the world are generally expected to adhere to certain legal and ethical guidelines when acquiring, storing, and using consumer data. Laws governing data use differ by country, but the ethical principles are nearly universal. For instance, the collection of data is expected to benefit both the collectors and consumers. Following this guideline ensures the data serves an actual purpose once collected. Another ethical principle regarding data collection involves progressiveness, or the ability to derive the most use out of the least amount of data.
Another important ethical principle data collectors might use is known as a sunshine test. Based on American laws known as sunshine laws—which require some government activities to be made available to the public—the sunshine test encourages data-collecting businesses to consider the potential effects of all their customers’ data being revealed for the public to see. If company leaders believe such revelations would harm their customers and the business, the leaders must take appropriate steps to secure and protect customers’ collected data.
Overview
In January 2012, the European Commission, which drafts legislation for and generally oversees the European Union, began planning to upgrade laws regarding data protection. The commission’s overarching goal was to modernize Europe’s digital protection laws in the era of computers and data. The European Union had already enacted a data protection law in 1995, but its stipulations were outdated by 2012, and each of the various EU member states executed the law differently. The European Commission viewed an update to the law as necessary to revitalize consumer confidence in European corporations and ultimately spur economic growth.
Negotiating the details of a new data protection law took the next four years. Into later 2012 and 2013, multiple EU parties expressed opinions on exactly what the law should be. In March 2014, the European Parliament, which votes on proposed EU legislation, overwhelmingly supported a data protection law that would protect computerized consumer information and grow the European Union’s economy.
The EU government defined many of the proposed law’s principles by June 2015. Various other bodies recommended changes to the text of the law over the next several months. By that December, the parliament, commission, and council all agreed on a finalized version of the GDPR. The law was passed in April 2016, although all data-collecting organizations across the European Union’s member states would have until May 2018 to implement the stipulations.
The GDPR is a wide-ranging law that mandates the responsible handling of data by any company within the European Union or outside the European Union that processes the data of EU citizens. This means the law affects major corporations around the world.
The GDPR requires these institutions to protect consumers’ names, addresses, biometric data (such as body measurements), racial backgrounds, political affiliations, sexual orientations, financial information, and web data such as Internet Protocol (IP) addresses. Businesses and other groups must collect consumer data legally and then prove they are protecting it from misuse and theft, both from within the organizations themselves and from potential external data thieves. Organizations must inform their customers how their data is being used, and they must report any data breaches in a timely manner.
The EU government intended the GDPR to stimulate economic growth and technological innovation. This is because, ideally, a singular authority governing data protection would enable businesses anywhere in the European Union to build data safety into their technology from the start of development. According to the European Commission, such uniformity of data protection laws across the European Union would save the EU economy billions of euros a year.
Penalties for failing to comply with the stipulations of the GDPR are mostly financial and are intended to be severe. The GDPR allows supervising authorities to inspect institutions for compliance with the law. These authorities may warn organizations that are found not to be complying to change their policies within a certain time. The authorities can also audit the companies or force them to delete or stop transferring their data completely. Organizations that fail to follow the law can be fined up to twenty million euros or 4 percent of their annual global revenue, whichever is higher. The exact amounts of the fines depend on the nature of the offense and the discretion of the supervising authorities.
In the months before the GDPR took effect, the independent British analysis firm Ovum reported that 52 percent of companies around the world predicted they would be fined for failing to adhere to the law within the first year of its enactment. EU member states were expected to incorporate the rules of the GDPR into their national laws by May 6, 2018. The law took effect on May 25, 2018.
Impact and Influence
The GDPR generated considerable controversy, with opponents particularly concerned about the costs for businesses (especially smaller companies) to achieve compliance. However, the law and its intent were generally praised by consumer advocates and internet freedom activists. It brought much attention to issues of data protection and online privacy around the world, and was widely acknowledged as a groundbreaking regulatory effort in that realm. Many experts considered this raised awareness among companies and the general public to be perhaps even more influential than the law’s specific implications. The GDPR also influenced similar laws in many countries, as well as the California Consumer Privacy Act (CCPA; passed 2018 and effective 2020), which was notable due to the presence of many major technology companies in California’s Silicon Valley.
Views on the GDPR’s impact in its first few years varied. Once the law became effective, lawsuits immediately began against many different companies over potential violations. While in several cases fines were issued, some observers noted that relatively little action was taken against the biggest and most powerful tech companies; a small fine of Facebook in Germany and a 50 million euro fine against Google in France were the highest-profile early cases. Some suggested the agencies tasked with oversight of the legislation were unprepared for the job, especially as rules stipulated that complaints be investigated by the country in which a company based its European headquarters. As many major tech companies were based in Ireland, the Irish Data Protection Commission (DPC) in particular was flooded with a wave of cases involving prominent companies such as Apple, Facebook, Google, Instagram, Twitter, and Whatsapp. Some analysts also expressed skepticism over the ultimate enforceability of certain regulations and noted ways in which companies were already manipulating user consent. Despite these challenges, many data experts argued that while the regulatory process was complex and would naturally take time to unfold, the GDPR had helped usher in a new approach to data protection. In 2021, the largest GDPR fine up to that point was issued to Amazon, and though some critics argued that more work was needed toward effective implementation, the Center for Strategic and International Studies reported in September of that year that 839 fines had been issued since it went into effect in 2018.
Following the declaration of the coronavirus disease 2019 (COVID-19) pandemic in March 2020, a large-scale public health crisis, experts also debated how best to balance adhering to the GDPR in terms of protecting people’s privacy while also attempting to respond appropriately and effectively to the pandemic. As part of efforts to control the spread of, as well as better understand, the novel coronavirus, institutions that included government and health agencies in addition to private entities sought to employ technological and policy measures to track and share health data. The widespread distribution of vaccines beginning in late 2020 and early 2021 further introduced concerns, particularly for employers, about inquiring as to employees’ vaccination status for safety maintenance. As the pandemic continued into 2022, many experts and regulators argued that the GDPR could still be effective without hindering crucial public safety measures as long as data used or shared was as limited as possible and protected, and any concerned individuals were notified. Meanwhile, the European Data Protection Board had also issued guidelines specific to processing health data for scientific research related to COVID-19, and general regulation updates were made to the GDPR in 2021.
Leave a Reply