General Data Protection Regulation

From SI410
Jump to: navigation, search

The General Data Protection Regulation, or GDPR, is reform of data protection policy, created by the European Union (EU) in May 2018. This set of policies applies to all companies operating in the EU, whether they are based in the EU or not, and processing the data of individuals living in the EU. Personal data is defined as something that identifies a person. This includes, but is not limited to: name, address, IP address, browsing history, etc. The main aim of the GDPR is to “harmonise” data protection in Europe as well as protect individuals’ data privacy. The regulation took four years of preparation. Companies were given from May 2016 to May 25, 2018 to implement the new regulation and if companies failed to comply, they could face immense fines. [1]


The GDPR has 99 articles that work to 1) protect individuals’ data in the EU, giving them control over their own personal data and 2) hold organizations accountable by mandating evidence and justification for why they are using that data. [3]

The GDPR has a significant effect on not only countries in the EU, but also all other countries that manage and hold data of EU citizens.

History of Data Protection in the EU

GDPR was preceded by the Data Protection Directive, which was adopted in 1995. The directive addresses personal data in a broad sense, since it does not specify that personal data has to be automated in order to be regulated. The main three principles allowing data to be processed are the following: transparency, legitimate purpose, and proportionality. [4]

Prior to the Data Protection Directive, laws about data privacy varied widely in the European Union. A non-binding agreement was made in in 1980 called the "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data" [5] which outlines seven recommendations for properly managing personal data. While the agreement was difficult to implement widely, the Data Protection Directive used many of it's principles in creating a more modern system for regulating data.


Of the 99 articles in the GDPR, there are 11 chapters and 171 recitals. The 11 chapters go as follows: [6]

  • I – General provisions
  • II – Principles
  • III – Rights of the data subject
  • IV – Controller and processor
  • V – Transfers of personal data to third countries or international organisations
  • VI – Independent supervisory authorities
  • VII – Cooperation and consistency
  • VIII – Remedies, liability and penalties
  • IX – Provisions relating to specific processing situations
  • X – Delegated acts and implementing acts
  • XI – Final provisions


The GDPR refers to three different groups in the language of the regulation. Data controllers are companies that collects data from residents of the EU. A data processor is a company that processes data for data controllers, such as a cloud service provider. These two groups are both held accountable for how they manage personal data. The other major group that is addressed are individuals and what is detailed are their specific rights in relation to their personal data. Some of the key aspects of the GDPR articles are the following: [7]

Individual Rights under GDPR[8]

Breach Notification

Article 33 requires that organizations must notify parties whose data has been compromised within 72 hours of a breach. [9] The 72 hours begin immediately after a data processor discovers the breach and if the parties are not notified in time, companies could encounter large fines. [10] The importance of this article is to push companies to increase security in order to avoid security breaches.

Right to Access

Article 15 of the GDPR allows citizens of the EU to access their own data as well as discover information about how their personal information is being processed. The request to access data can be made verbally or in writing by the individuals in question. The time limit for a company responding to a request is one month and must be free of charge. [11]

Right to Erasure

Article 17, known as the right to be forgotten, provides individuals the right to demand that their personal data be erased. This request may be made verbally or in writing and companies must respond to the request within one month, as well. [12] There are some exceptions to the right of erasure. For example, if an official must use data complete a task or if the data must be used to carry out a task for the public interest, the right of erasure is waived. [13]

Right of Data Portability

Article 20 requires data processors to provide transparent means for users to audit and access their data for their own personal use. Users can move their data from one technological space to another, safely. Specifically, the user can only access data that they themselves have provided to the controller. [14]

Privacy by Design

This article calls for data privacy to be implemented in the design of an organization rather than added later on. While this concept has been in existence, the GDPR has formally made it a legal requirement. [15]

Data Protection Officer

Businesses are required to appoint a Data Protection Officer (DPO). The DPO may be a shared officer amongst several institutions or outsourced. The role of the DPO is to ensure an organization complies with GDPR.

Article 83 and Fines

Data protection authorities are given the power to fine companies in Article 83 of the GDPR. The monetary value of the fine is €20 million or 2% of the company’s worldwide revenue (whichever is larger). For larger infractions, the fine is €40 million or 4% of the company’s worldwide revenue. [16] Large multinational Fortune 500 companies have spent as much as a combined $8 billion on compliance in order to avoid future costly fines. [17]


Initial Impact

On May 25, 2018, a large number of high-profile websites had to temporarily disable services in Europe. The websites included New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun. The message on the websites indicated that they were only temporarily inaccessible in an effort to manage compliance with the new regulations of GDPR. [18]

Chicago Tribune Unavailable Message[19]

Legal Issues

Almost immediately after GDPR was officially implemented, companies such as Google, Instagram, Facebook, and WhatsApp were fined for forcing users to give consent to their personal data. The data was intended for target advertising. [20] Google was fined 50 million euros for not properly disclosing to users how their data is obtained. The fine against Google was the fourth fine against a company since May 2018, when GDPR was implemented. The major change that Google has to make is that they must receive consent from users before building advertising profiles from their data. [21]

Permanent Impact

Due to the GDPR mandating large changes, certain companies have opted to end their operations because the cost of complying would harm the company anyways. Uber Entertainment is a gaming company who decided to shut down their company because of the difficulty and the cost of rewriting the games to delete user data. Other companies have taken different approaches by simply blocking European users from accessing their product. [22]


Email consent has changed majorly due to the GDPR. Now, consent must be affirmative, meaning, users must willingly provide their email address rather accept a pre-ticked box. Similarly, consent cannot be subtly included in other terms and conditions. Email consent must be kept separate in order to allow users to visually see the difference between opting in and accepting terms. Users must be able to also have the option to easily withdraw their consent. Evidence of the consent must also be well documented. Finally, organizations must reevaluate their existing consent methods in order to accommodate to the new changes. [23]


While cookies only appear in the GDPR language briefly, the changes that have occurred on many websites, in order to ensure compliance, are very noticeable. Cookies that can identify an individual are considered personal data. In general, a lot can be determined by one’s cookies, such as preferences and activity. Therefore, individuals may now notice that they must consent to cookies being used. The main change that has occurred is that websites must be explicit and detailed in asking for consent, by explaining how the cookies will be used. There must also be an option to reject cookies. The GDPR is not an attempt to eliminate cookies, but rather enforce transparency and give users the right to know where their data is going as well as manage who can have their data. [24]


Defining Privacy Rights in the Infosphere

As technology has evolved, privacy has been compromised. Luciano Floridi theorizes about the impact that ICTs have on individuals and the defining issues of data privacy. When technology breaks the barrier of trust by taking personal information from an individual without them knowing, an individual can feel vulnerable. As Floridi says, "Confidentiality is an intimate bond that is hard and slow to forge properly… but it is also a bond brittle and difficult to restore… since the disclosure, deliberate or unintentional, of some personal information in violation of confidence can entirely and irrecoverably destroy privacy…" [25] The clash between privacy and technology arises from the speed at which technology evolves. The problem lies in how policies that protect users quickly lose value as newer technologies emerge. James H. Moor explains that conceptual muddles develop as a result of technological revolutions. These conceptual muddles refer to the ethical dilemmas faced by both users and organizations that use technology. [26]

Rights Afforded Before General Data Protection Regulation

Before the GDPR, users personal data was previously could be taken without the users explicit consent or complete knowledge of it. Companies could legally release privacy statements in fine print on websites with language that was not transparent or used difficult legal terms. Moor emphasizes that policies must be put in place as the consequences of technology continue to unfold, which can be seen applicable in this case where entities would use people's information without their discretion since legislation was not in place. [26] The GDPR aims to prevent this obscuring of individual privacy right Informational transparency by making privacy statements easier to understand and access for consumers, and requiring their explicit consent to use the information they share or generate. With the GDPR now in place, the question is whether or not those affected by entities collecting user data that would now be violations under the GDPR will get compensation through rights to that older data or if those entities are allowed to keep that data.

Furthermore, competition was largely based on how much data one could obtain and use to their advantage. Margrethe Vestager even says that data is the newest form of currency. While the ethical issues about competition in the data realm existed before GDPR, a new form of competition, or rather the lack thereof, arises now that GDPR has been implemented. [27] GDPR has had large impacts on companies and has put the survival of certain companies at risk as well. This has presented some criticism, combining data ethics with commerce even further. Because companies have suffered and had to shut down, GDPR can be seen as favoring larger companies who can afford to make the changes necessary to comply with the regulation. The fines for not complying have minimal damage to large companies. On the contrary, smaller business must either end operations completely or make costly changes to their systems, which can have large financial impacts on the company

Global Applications

While countries outside of the EU are well affected by the changes that the GDPR has created, many countries, like the United States, still lack the same standards. This presents another ethical challenge. As the right of EU citizens are legally protected, those who are not protected may find issues and higher expectations with the lack of policies protecting data privacy moving forward. Apple CEO, Tim Cook, is an advocate for bringing similar regulations to the United States because, "platforms and algorithms that promised to improve our lives can actually magnify our worst human tendencies." [28][29] These "human tendencies" are presented by the lack of universal data protection policies, causing these ethical dilemmas.

See also


  1. “The EU General Data Protection Regulation (GDPR) Is the Most Important Change in Data Privacy Regulation in 20 Years.” EUGDPR Home Comments,
  2. “GDPR - Key Elements and Steps to General Data Protection Regulation.” GBHackers On Security, 4 Feb. 2019,
  3. Beyond Law: Ethical Culture and GDPR -
  4. “What Is the Data Protection Directive? The Predecessor to the GDPR.” Digital Guardian, 12 Sept. 2018,
  5. “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” OECD,
  6. Vollmer, Nicholas. “Table of Contents EU General Data Protection Regulation (EU-GDPR).” Table of Contents EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy According to Plan., SecureDataService, 5 Sept. 2018,
  7. “GDPR Key Changes.” Key Changes with the General Data Protection Regulation – EUGDPR,
  8. “What Positive Impact Do You Think the General Data Protection Regulation Will Have on Individuals' Privacy?”, Quora, 16 May 2018,
  9. “Art. 33 GDPR – Notification of a Personal Data Breach to the Supervisory Authority.” General Data Protection Regulation (GDPR),
  10. GDPR Data Breach Notification,
  11. “Right of Access.” ICO,
  12. “Right to Erasure.” ICO,
  13. “The Right to Erasure or Right to Be Forgotten under the GDPR Explained.” i-scoop,
  14. “Right to Data Portability.” ICO,
  15. “Privacy by Design.” General Data Protection Regulation (GDPR),
  16. “Guest Post: What Can the First GDPR Fines Tell Us?” The D&O Diary, 4 Dec. 2018,
  17. “The Cost of GDPR Compliance.” HIPAA Journal, 18 Jan. 2019,
  18. “GDPR: US News Sites Unavailable to EU Users under New Rules.” BBC News, BBC, 25 May 2018,
  19. Satariano, Adam. “U.S. News Outlets Block European Readers Over New Privacy Rules.” The New York Times, The New York Times, 25 May 2018,
  20. Foxx, Chris. “Google and Facebook Accused of Breaking GDPR Laws.” BBC News, BBC, 25 May 2018,
  21. [Satariano, Adam. “Google Is Fined $57 Million Under Europe's Data Privacy Law.” The New York Times, The New York Times, 21 Jan. 2019,
  22. The cost of complying with the new law has already forced an online game producer. “GDPR: These Companies Are Getting Killed by Europe's New Data Protection Law.” CNNMoney, Cable News Network,
  23. “5 Things You Must Know about Email Consent under GDPR – Litmus Software, Inc.” Litmus Software, Inc., 10 Oct. 2018,
  24. “GDPR and Cookies | What Do I Need to Know? | Is My Use of Cookies Compliant?” Cookiebot,
  25. Floridi, Luciano. The 4th Revolution Chapter 5. Oxford University Press, 2014.
  26. 26.0 26.1 James H. Moor, "Why we need better ethics for emerging technologies". Ethics and Information Technology (2005) 7:111–119.
  27. Matthews, Kayla. “How GDPR Is Affecting Big Data Ethics | Articles | Chief Digital Officer.” Articles | Chief Digital Officer | Innovation Enterprise, 11 Oct. 2018,
  28. England, Rachel. “Tim Cook Calls for GDPR-Style Privacy Laws in the US.” Engadget, 24 Oct. 2018,
  29. “Tim Cook.” Wikipedia, Wikimedia Foundation, 3 Apr. 2019,