North Carolina Journal of International Law

"Connecting North Carolina to the World of International Law"

The GDPR: A Step in the Right Direction

By: Phil Pullen








Who is liable in the event of a data breach?  What information are governments and private companies allowed to collect about individuals?  What can these entities do with this information, and who can they provide it to?  These questions are frequently being asked by companies, individuals, and governments alike, but each are still in search of an answer.  It is no secret that data security and the protection of individuals’ private information online has been an area of growing concern and a source of much confusion over the past several decades. Governments seemingly have only made matters worse by continuously relying on outdated and piece-meal legislation to regulate both the public and private collection of data.  However, the European Union (EU) has taken a major step forward in this regard.  It recently enacted the General Data Protection Regulation (GDPR) in an effort to consolidate the myriad of regulations, statutes, and directives that govern data privacy and security in Europe.[1]  While it has drawn criticism from some,[2] the GDPR, in harmonizing data privacy laws across Europe and providing its citizens with enhanced freedoms and protections regarding their personal information, appears to take a step in the right direction.[3]

What is the GDPR?

The GDPR is a regulation recently enacted by the EU in 2016.[4]  While the GDPR was publicized in the EU Official Journal in May 2016, it won’t go into effect, and be officially enforced, until May 25, 2018, in order to give companies a chance to comply with the regulation’s new requirements.[5]  Primarily, the GDPR was enacted in order to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”[6]  Towards this end, the EU seeks to modify the existing state of data security regulation in two ways.[7]  First, the EU intends to give individuals more control over what personal information is online, and how it is used by public and private actors.[8]  As a result, the GDPR provides data subjects with easier access to their own personal data online, the right to data portability, the right to be notified when an individual’s data has been hacked, and even the right to have personal information permanently erased (known as the “right to be forgotten”).[9]  Second, the EU seeks to provide corporations with “a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.”[10]

Currently, the EU operates under the guise of the 1995 EU Data Protection Directive (DPD), and in addition, each member state maintains its own national data security laws.[11]  For example, the United Kingdom operates under the Data Protection Act (DPA) of 1988 in addition to the 1995 DPD.[12]  However, come May 2018, the GDPR will automatically apply to all member states of the EU, and each state will be forced to comply with the regulation’s requirements or face harsh penalties.[13]  In addition to the EU member states at large, any company that does business in Europe, including any company that markets goods or services to EU citizens regardless of that company’s location, will be subject to the regulation’s requirements as well.[14]  For example, “if you are [a company] currently subject to the [UK’s] DPA, it is likely you will also be subject to the GDPR.”[15]  As a result, this new framework has forced companies, large and small, to adapt to the new mandates set out in the regulation.

Many companies however, have failed to hit the ground running when it comes to preparing for the new enactments of the GDPR.[16]  According to a snap survey of 170 cyber security staff conducted by the cyber security software provider Imperva, only forty-three percent of companies are assessing the GDPR’s impact on their company and implementing new strategies and business models to accommodate those changes.[17]  Moreover, nearly a third of all businesses are saying they are doing nothing, and twenty-eight percent say “they are ignorant of any preparations their company might be doing.”[18]  However, companies will need to start reacting quickly in complying with the GDPR’s requirements, or else they will face severe penalties if found guilty of non-compliance.[19]

Key Changes

In attempting to address its mission, the GDPR promulgates a few “key changes” from the original DPA.[20]  One of the most impactful of these key changes, is the sheer increase in territorial scope of the GDPR.[21]  The regulation now applies to “all companies processing the personal data of data subjects residing in the Union, regardless of the companies’ location.”[22]  Traditionally, the territorial limits of the pre-existing directive (DPD) were ambiguous, and referred to the jurisdiction of data processing “in context of an establishment.”[23]  The GDPR clarifies its territorial bounds by adhering strictly to controllers—entities determining how and why personal data is collected and used[24]—and processors—entities acting on the controller’s behalf[25]—in the EU, regardless of where the information is processed.[26]  It also applies to controllers and processors collecting and using the personal information of data subjects in the EU, where the information relates to both the offering of goods and services to EU citizens and monitoring behavior taking place inside the EU’s bounds.[27]  “By linking the territorial scope to individuals’ personal data originating in the EU instead of connecting it to the establishment of the controller or the location of equipment, the application of EU data protection law will expand vastly.”[28]  Ultimately, this increase in both territorial and material scope will provide a significant benefit to EU citizens by ensuring their personal information is covered by the regulation no matter where in the world the controller or processor is.[29]

A second key change stemming from the adoption of the GDPR is the extensive number of rights given to data subjects.[30]  Under the GDPR, individuals will now have the right to ask for and obtain data from controllers and processors, and inquire into how, where, and for what purpose their personal information is being collected and disseminated.[31]  The GDPR gets rid of the £10 fee businesses and public bodies are permitted to charge when an individual requests information about the collection of their personal information, and businesses are now required to provide this information for free.[32]  Further, under what is known as the ‘right to be forgotten,’ individuals now have the right to have the data controller “erase [the individual’s] personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”[33]  This right is subject to limitation, however, and individuals can only make this request in certain circumstances, such as if the data is no longer relevant for the original purpose of collection, consent has been withdrawn, or if the data has been unlawfully possessed.[34]  Ultimately, these rights will provide individuals with the ability to track what and how much personal information companies, like Facebook or Google, maintain and distribute about them.[35]

Not all are satisfied with the GDPR’s changes and new requirements, however, as the regulation has drawn sharp criticism in certain respects.[36]  Many argue that the new requirements imposed on companies will “divert money away from investments that would create more productive jobs and benefit customers through lower prices and better product features . . . .”[37]  Even with respect to the ability of individuals to maintain increased transparency in data collection and power to request information about themselves, critics argue that these provisions will be “onerous in practice—like trying to sail with an anchor overboard.”[38]  There is also concern about the power of regulators to levy significant fines (up to £20 million) in the event of a non-compliance or data breach.[39]  However, while these concerns are not un-warranted, a vast majority of Europeans are concerned with the current state of affairs with respect to the collection, management, and dissemination of their personal information, and ninety percent say they want uniform data protection rights across the EU.[40]  The changes authorized by the GDPR will be sure to provide the authority and transparency regarding personal information that Europeans eagerly seek.


[1] How did we get here?, GDPR Portal, [] [hereinafter GDPR Portal].

[2] See Klint Finley, EU Cracks Down on Data Privacy, But Loopholes May Remain, Wired (Apr. 15, 2016, 12:15 PM), [].

[3] GDPR Portal, supra note 2.

[4] Id.

[5] Matt Burgess, GDPR will change data protection – here’s what you need to know, Wired (Sep. 25, 2017), [].

[6]GDPR Portal, supra note 2.

[7] Joe Curtis, What is GDPR, everything you need to know, ITPRO (Aug. 9, 2017), [].

[8] Id.

[9] European Commission Press Release IP/15/6321, The Commission, Agreement on Commission’s EU Data Protection Reform Will Boost Digital Single Market (Dec. 15, 2015).

[10] Curtis, supra note 8.

[11] Burgess, supra note 6.

[12] Id.

[13] Curtis, supra note 8.

[14] Nate Lord, What is GDPR (General Data Protection Regulation)? Understanding and Complying with GDPR Data Protection Requirements, Digital Guardian (July 27, 2017), [].

[15] Overview of the General Data Protection Regulation (GDPR), Information Commissioner’s Office (Sep. 28, 2017), [] [hereinafter ICO].

[16] Curtis, supra note 7.

[17] Id.

[18] Id.

[19] See id.

[20] GDPR Portal, supra note 2.

[21] Id.

[22] Id.

[23] Id.

[24] See ICO, supra note 16.

[25] Id.

[26] GDPR Portal, supra note 2.

[27] Id.

[28] Kristina Irion, Svetlana Yakovleva, Marija Bartl, Trade and Privacy: Complicated Bedfellows? How to achieve data protection-proof free trade agreements, Amsterdam, Institute for Information Law (July 13, 2016), [].

[29] Id.

[30] See Burgess, supra note 6.

[31] GDPR Portal, supra note 2.

[32] Burgess, supra note 6.

[33] GDPR Portal, supra note 2.

[34] Burgess, supra note 6.

[35] Matt Burgess, You’re about to get lots more control over your Facebook and Google data, Wired (July 6, 2017), [].

[36] See Finley, supra note 2.

[37] Nick Wallace, Overzealous EU data protection regulations are more likely to take your job than a robot, City A.M. (Mar. 2, 2017, 4:59 AM), [].

[38] New EU Data Regulation Takes Digital Economy Two Giant Steps Backward, Says ITIF, Information Technology & Innovation Foundation (Apr. 14, 2016), [].

[39] Burgess, supra note 6.

[40] European Commission Press Release, supra note 10.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *