General Data Protection Regulation

The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union may be processed, went into effect on May 25, 2018.  The GDPR, which replaces the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes.  Personal data is defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier.  Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.

A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, European Economic Area residents (i.e., Norway, Lichtenstein, and Iceland), and Switzerland, if the company offers goods or services to data subjects in the European Union; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope.  For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.

Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance.  There is an exception to this requirement for small scale and occasional processing of non-sensitive data.  Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or €20million euros–whichever is higher. 

The European Data Protection Board released official guidelines to help companies with their compliance process.

Transferring Personal Data Outside of the European Union

The GDPR not only provides for the free flow of personal data within the European Union but also for its protection when it leaves the region’s borders.  The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed) and on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates).  These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or third parties (e.g., subcontractors).  In addition, restrictions on transfers of personal data outside of the European Union specify that such data can only be exported if “adequate protection” is provided.

The European Commission is responsible for assessing, in the form of an adequacy decision, whether a country outside the European Union has a legal framework that provides enough protection when transferring personal data from the EU to that country.  On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield.  That decision invalidated the EU-U.S. Privacy Shield Framework as a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.  After extensive consultation with stakeholders and negotiation between the European Union and the United States, in March 2023 the European Union and the United States announced the establishment of a new EU-U.S. Data Privacy Framework.  On July 10, 2023, the European Commission adopted an adequacy decision recognizing the United States as having sufficient protection for EU personal data under the Framework, thereby enacting the Framework and reestablishing a legal mechanism for transfers of personal data from the European Union to the United States.  See the  Data Privacy Framework website for more information.

The EU Data Act

On February 23, 2022, the European Commission published its proposal on the EU Data Act, seeking to set standards for data sharing and the use-reuse of data at an EU-wide level, covering aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.  On November 27, 2023, the European Council and the European Parliament adopted the proposal.  Once published in the EU’s official journal, it will enter into force on the twentieth day after its publication, and the law will begin to apply twenty months from the date of its entry into force.

The proposal includes measures to allow users of connected devices to gain access to data generated by them and to share such data with third parties to provide aftermarket or other data-driven innovative services.  It also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.  The Act includes mechanisms for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency or to implement a legal mandate if data are not otherwise available.  The Act also includes rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.  

Digital Markets Act

The Digital Markets Act regulates the market power of large online platforms to achieve fairer and more open digital markets within the European Union.  The Act regulates certain “gatekeeper firms” – large online platforms that impact how other companies interact with users online through digital services such as searching, social networking, cloud computing, and advertising services.  It prohibits gatekeepers from engaging in self-preferencing activities and restricting access to services connected to their platforms, such as online marketplaces like an app store, and be barred from preventing users from removing pre-installed software or apps.  Under the Act, EU regulators can levy fines of up to ten percent of global annual turnover of these firms, and, limitedly, break up certain parts of their corporate operations.  The companies designated as gatekeepers will have to comply with the respective obligations and prohibitions by March 2024.

Digital Services Act

The Digital Services Act will harmonize mechanisms throughout the European Union for the removal of illegal content for online service providers, including internet access providers, domain name registrants, cloud and webhosting services, and online platforms.  The Act bans targeted advertising aimed at children or based on sensitive data such as religion, gender, race, and political opinions, and it bans tactics that mislead people into giving personal data to companies online.  It regulates “very large online platforms” – those online platforms that would reach at least ten percent of the population in the European Union.  The Commission would be able to charge them a supervisory fee of up to one percent of their annual turnover.  Sanctions would be gradual and unprecedented in their scope.  Fines will amount to up to six percent of the global turnover of the conglomerate for violations of the Act.  In the event of serious and repeated breaches, national courts can go as far as a ban on operating on European territory.  The text will apply across the European Union from February 2024.

The Artificial Intelligence Act

On April 21, 2021, the European Commission published its proposal for the Artificial Intelligence (AI) Act.  The proposed law defines artificial intelligence systems, employs a risk-based approach to regulating AI systems, and applies differentiated obligations to various actors, to include the AI systems’ manufacturers, importers, and users.   On December 8, 2023, the Commission, the European Council, and the Parliament reached political agreement on the Act.  Additional technical meetings, set to resume in January 2024, will be held to finalize the text before formal approval of the Act.  Cybersecurity

Revision of the Network and Information Systems (NIS) Directive

The Directive on security of network and information systems (NIS), applicable since 2016, sets baseline requirements to ensure better protection of critical infrastructures in the European Union.  The NIS Directive set basic principles for Member States for common minimum capacity building and strategic cooperation.  It also directs operators of essential services and digital service providers to ensure that they apply basic common security requirements.  Obligations for operators of both groups include taking technical and organizational measures for risk management; to prevent and minimize the impact of security incidents; and to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.  Member States have implemented this directive in different ways, particularly with respect to operators of essential services, which led to a proposed legislative modification of the NIS Directive (so-called the NIS 2 Directive) in December 2020.  NIS 2 Directive obligates more entities and sectors to strengthen security requirements, addresses the security of supply chains, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements.     A political agreement was adopted in November 2022 and the directive entered into force in January 2023.  EU member states have until October 2024 to bring the rules into their national law.