Bird & Bird Guide to the General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the latest version of Europe’s cornerstone data protection law. It took effect in May 2018, a marathon six and a half years after the European Commission’s original first draft was published following an unprecedented period of debate, negotiation and lobbying. This guide summarises that Regulation - a law which has significantly overhauled Europe’s data protection rules at a time when information systems and digital business underpin human life. As with the legislation which the GDPR replaced, many jurisditions outside the European Union (EU) have followed concepts which it introduced. So understanding the GDPR and how it is enforced is important for businesses around the world.
GDPR: A new data protection landscape
After over three years of discussion at many levels, the new EU data protection framework has finally been agreed. It takes the form of a Regulation – the General Data Protection Regulation.
The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will not come into force immediately (this is likely to be in the first half of 2018). However, as it contains some onerous obligations, it will have an immediate impact.
Global Privacy Handbook 2018
Editor's Note
Innovation Driving Digital Transformation and Preparing for GDPR Baker McKenzie is pleased to provide you with complimentary access to the 2018 edition of our Global Privacy and Information Management Handbook, which covers over 50 jurisdictions and is currently available online at tmt.bakermckenzie.com and in hardcopy for our clients (app format coming soon).
Three intricately linked themes dominated the news this past year:
- the profound transformation of business and organizational activities, processes, competencies and models to fully leverage the changes and opportunities of a mix of digital technologies (including artificial intelligence and machine learning) and their accelerating impact across society (e.g., internet of things and autonomous cars);
- the increasingly weighty challenge of managing and protecting the growing amounts and richness of data (e.g., big data) being collected, used and processed in connection with the pursuit of digital transformation; and
- the heightened global compliance obligations that are emerging to protect the rights of individuals impacted by the digital transformation underway, as most clearly represented by the implementation of the General Data Protection Regulation (GDPR).
If 2017 was largely about coming to terms with the impact of a world undergoing a digital transformation, for all businesses and organizations, the focus in 2018 will be around preparedness, action and managing risk.
GDPR VS CCPA
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the California Consumer Privacy Act of 2018 ('CCPA') (SB-1121 as amended at the time of this publication) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share personal data, whether the information was obtained online or offline.
The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date. Absent a comprehensive federal privacy law in the U.S., the CCPA is considered to be one of the most significant legislative privacy developments in the country. Like the GDPR, the CCPA's impact is expected to be global, given California's status as the fifth largest global economy. The CCPA will take effect on 1 January 2020, but certain provisions under the CCPA require organizations to provide consumers with information regarding the preceding 12-month period, and therefore activities to comply with the CCPA may well be necessary sooner than the effective date.