GDPR: These are the most important changes

Part 3 of our blog series summarizes the key innovations of the General Data Protection Regulation (GDPR). These include an extended definition of "personal data" and the "right to be forgotten".

Icons by Smashicons, Freepik

Björn GreifEditor

In part 1 of our blog series on the General Data Protection Regulation (GDPR), we have explained what rights you as a consumer will be able to claim in the future when it comes to privacy issues. Part 2 highlighted the most important principles and regulations, which are based on the German Federal Data Protection Act (in German: Bundesdatenschutzgesetz, BDSG). In the third and last part, we will now discuss the key innovations of the GDPR, which go beyond the BDSG.

Here is an overview of the most important items:

  • Extended definition of “personal data” (Article 4)
    If previously only information such as name, address and telephone number were considered personal data, this category will in the future cover any data that enables a person to be identified directly or indirectly. This includes, for example, IP and MAC addresses, cookies and user IDs, digital fingerprints as well as location and biometric data. Anonymous data that does not allow identification of a person is excluded.
    Personal data may only be collected and processed “for specified, explicit and legitimate purposes.” Often used phrases such as “to improve user experience” or “for marketing purposes” are therefore no longer sufficient as explanations for data processing.
  • New transparency and information requirements (Article 12 ff.)
    In the future, companies will be obliged to inform users of the legal basis for the processing of personal data. The same applies to the period for which the personal data will be stored, or the criteria used to determine that period as well as the transfer to external data processors. In addition, companies must communicate all information and messages “relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” This should make it easier for users to understand what is happening with their data.
  • The “right to be forgotten” is enshrined in law (Article 17)
    Under certain circumstances, a user can demand that the site operator deletes his or her personal data immediately. This is the case, for example, if he has revoked his consent, data have been processed unlawfully or are no longer necessary for the intended purposes. However, the right to be forgotten or the right to erasure does not apply if, for example, freedom of expression or information prevails. This will have to be decided by courts in individual cases.
  • Data protection by design and by default (Article 25)
    Companies should implement appropriate technical and organizational measures to ensure that data is anonymized in an effective manner or only collected to the extent necessary (privacy by design). Applications and electronic devices must also be setup in a privacy-friendly manner so that they only collect personal data whose processing is necessary for the respective purpose (privacy by default). However, what is considered “necessary” is ultimately determined by the companies themselves.
  • Even US companies must comply with EU data protection laws (Article 3)
    The GDPR applies to all companies processing personal data of persons residing in the European Union. In the case of legal disputes, the laws of the country in which the data are collected will apply in future in accordance with the principle of market location. Until now, the laws of the country in which the company concerned is headquartered have applied (principle of establishment). For example, Facebook in Germany has so far always been able to refer to the comparatively lax Irish data protection law because it has its European headquarters in Ireland.
  • Higher fines (Article 83)
    According to GDPR, regulators will be able to impose fines of up to 20 million euro or 4 % of global annual turnover on companies – whichever is the highest.

As of 25 May, GDPR will replace the 1995 EU Data Protection Directive 95/46/EC. The EU member states may, however, pass supplementary laws which modify and clarify parts of the GDPR. In addition, the GDPR is supplemented by the EU’s ePrivacy Regulation on Internet and telemedia services. It provides for stricter rules for the use of communication data and better protection against tracking and strengthens the right to encrypted communication.

Whether the ePrivacy Regulation will enter into force at the end of May, as originally planned, together with the GDPR, is currently uncertain. Trilogue negotiations are still underway between the EU Parliament, the EU Commission and member states on concrete implementation. As with the GDPR, lobby groups are trying to influence the final text of the regulation. It is therefore to be feared that the user-friendly position will be watered down.

In the end, the new regulations must first prove themselves in practice. Like most legal texts, they contain partly unclear wording that leaves some room for interpretation. And where there are loopholes, they are usually exploited before courts decide on the interpretation in a concrete case.

Therefore, you as a user should never only rely on laws and regulations to protect your privacy. Be aware of who you are providing which data to. Technical solutions in the form of anti-tracking tools such as Ghostery or Cliqz can help you. They prevent your personal data from being transferred to third parties. Ghostery is available for download as an extension for all common browsers. The free Cliqz Browser with integrated tracking protection is available for Windows and macOS as well as Android and iOS.