Significant technological advancement and progress in the 21st century made the EU’s last century's set of rules that defined the personal data protection obsolete. Today’s data collection, process, and access methods no longer resemble the methods used two decades ago, complicated by the 28 EU Member States’ transposition of rules differently diverging in enforcement, resulting in a costly administrative burden for businesses. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale to pursue their activities. Individuals increasingly make personal information available publicly and globally, without being fully aware of the risks involved. While the debate continues over reconciliation of security and privacy around the world, the General Data Protection Regulation (GDPR) published on 4 May 2016 will be implemented after a 2-year transition period on 25 May 2018 for any organization that operates in the EU and processes the personal data of EU subjects.
The Data Protection Directive applies to countries of the European Economic Area (EEA) including all EU countries and non-EU countries Iceland, Liechtenstein, and Norway. The Directive states that personal data can only be transferred to countries outside the EU and the EEA when an adequate level of protection is guaranteed. The Data Protection Directive requires that data transfers should not be made to non-EU /non-EEA countries that do not ensure adequate levels of protection.
The new GDPR introduces a single and technologically neutral and future-proof set of rules across the EU to enhance the internal market dimension of data protection, by reducing fragmentation, strengthening consistency and simplifying the regulatory environment to eliminate unnecessary costs and reduce administrative burden; to increase the effectiveness of the fundamental right to data protection and put individuals in control of their data; and to enhance the coherence of the EU data protection framework, including in the field of police cooperation and judicial cooperation in criminal matters, taking full account of the entry into force of the Lisbon Treaty.
The GDPR gives government powers to impose severe fines on corporations which misuse data, contains a clause which could mean citizens are entitled to have any machine-driven decision process explained to them, codifies the right to be forgotten, and regulates the transfer of EU citizens’ private data overseas. EU citizens will also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company.
The GDPR provides the data subject the right not to be subject to a decision based solely on automated processing which produces legal effects concerning the data subject or similarly significantly affects the data subject, and the right to a meaningful explanation of the logic involved. The new rules by eliminating the need to consult with local lawyers to ensure local compliance resulting in legal certainty and direct cost savings of an estimated €2.3 billion per year.
Read more on international transfers of personal data:
Binding Corporate rules
Commission decisions on the adequacy of the protection of personal data in third countries
Model Contracts for the transfer of personal data from the EU/EEA to third countries
Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP)
Frequently asked questions
Follow the following process before any transfer of personal data takes place
: Step-by-step decision-making process at http://ec.europa.eu/justice/data-protection/international-transfers/files/international_transfers_faq.pdf
 DATA PROTECTION REPORT: http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_en.pdf
 Reform of EU data protection rules: http://ec.europa.eu/justice/data-protection/reform/index_en.htm
COMMISSION STAFF WORKING PAPER EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_73_en.pdf
CONSOLIDATED TEXTS OF THE EUTREATIES AS AMENDED BY THE TREATY OF LISBON:
Treaty of Lisbon (2007) http://www.eudemocrats.org/eud/uploads/downloads/Consolidated_LISBON_TREATY_3.pdf
Proposed in 2007, the Lisbon Treaty was ratified by most member states in 2008, but a referendum in Ireland—the only country that put the Lisbon agreement to a public vote—rejected it on June 12, 2008, thus jeopardizing the entire treaty. More than a year later, on October 2, 2009, Ireland held a second referendum, which passed. Poland’s government also had expressed reservations, but it ratified the treaty a week after the Irish vote, after securing opt-outs from EU policy on some social issues, such as abortion. The Czech Republic was the last remaining holdout: though its Parliament had ratified the treaty, the country’s president, Václav Klaus, withheld his signature. Finally, after the Czech courts ruled that the treaty did not violate the country’s constitution, Klaus signed it on November 3, 2009. The Lisbon Treaty, thus ratified by all 27 member states, entered into force on December 1, 2009. https://www.britannica.com/event/Lisbon-Treaty
 Factsheet on the Right to be Forgotten: http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
 How will the EU’s reform adapt data protection rules to new technological developments? http://ec.europa.eu/justice/data-protection/document/factsheets_2016/factsheet_dp_reform_technological_developments_2016_en.pdf
 How does the data protection reform strengthen citizens’ rights? http://ec.europa.eu/justice/data-protection/document/factsheets_2016/factsheet_dp_reform_citizens_rights_2016_en.pdf
 EU Data Protection Reform What benefits for businesses in Europe? http://ec.europa.eu/justice/data-protection/document/factsheets_2016/data-protection-factsheet_01a_en.pdf
 FREQUENTLY ASKED QUESTIONS RELATING TO TRANSFERS OF PERSONAL DATA FROM THE EU/EEA
TO THIRD COUNTRIES http://ec.europa.eu/justice/data-protection/international-transfers/files/international_transfers_faq.pdf
For more information and to learn how CIP can help you prepare for GDPR compliance, please contact:
Dr. Rao Vepachedu, JD, PhD, LLM
Chief Privacy Officer
Office of the Chief Privacy Officer
Cardinal Intellectual Property, Inc.
1603 Orrington Avenue
Evanston, IL 60201
(847) 859-3077 (Direct)
(847) 905-7122 (Main)
(847) 905-7123 (Fax)