In today's global marketplace, organizations must comply with an increasingly complicated set of international laws and regulations. This article is the first in a seven-part series which seeks to explain, in plain English, the critical compliance requirements of the European Union's forthcoming General Data Protection Regulation (GDPR). While this series will focus on a number of the most significant "need to know" features of the GDPR, future editions of this series will also compare how the GDPR will affect commerce among and between three of the world's most significant markets: the United States, the European Union, and China.
Part 1: A brief history of European data protection law and why it's important to understanding the GDPR
What is the GDPR and why is it important?
The forthcoming GDPR1 is a new European regulation intended to strengthen and unify data protection for all individuals within the EU. It applies to all EU member states, and will become fully effective on May 25, 2018. This new regulation will replace the currently controlling European Data Protective Directive 95/46/EC and is significant because it expands the territorial reach of European data protection laws beyond "data controllers" and "data processors" to those entities who:
offer goods or services to European residents; or monitor the behavior of European residents (if that behavior occurs in Europe). This new regulation, therefore, will apply to many international corporations who either do business within the EU, or transact in the data of EU citizens.
How is a history of European data protection relevant to understanding the GDPR?
Understanding the history of European efforts to protect the data of its citizens can be helpful in two important ways. First, it can help practitioners understand how the GDPR's new standards change the compliance requirements of the existing European framework. Second, an understanding of the history of data protection efforts around the globe will serve as a broad foundation for understanding what will inevitably be evolving data privacy and data protection efforts in the U.S. and other countries.
An early but important effort: the 1980 OECD Guidelines
From the outset, it's helpful to recognize that the principles behind this new GDPR are not new. The principles embodied in the GDPR actually go all the way back to World War II, when leaders of a war-torn Europe realized that the best way to ensure ongoing peace and prosperity was to encourage broader international cooperation and reconstruction2. To aid in that effort, in 1945 the Organisation for Economic Co-operation and Development (OECD) was born.
In 1980, thirty five years after its founding, the OECD (which by that time included the U.S. and several other European countries) issued a set of international data privacy and protection guidelines known as the "Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data." These guidelines established several important principles of data protection and privacy that we see reflected in today's GDPR, including the following:
The purpose of data collection should be relevant to its use; Data should be protected against loss and unauthorized access; Individuals should have the right to know what data is collected about him or her; Individuals should have the right to access any data related to him or her; and An individual should be able to challenge the retention of data, or amend or erase data about him or her. The OECD guidelines quickly became the global...