Ch 1.6 - GDPR

The General Data Protection Regulation

The Directive could not keep pace with technology and globalisation, so the Commission proposed the GDPR in January 2012. It entered into force May 2016 and became fully enforceable 25 May 2018. As a regulation it is binding in its entirety and directly applicable without transposition, maximising consistency - though member states may still enact more specific rules in some areas. Key innovations include data protection by design and by default, accountability, the one-stop shop and broad reach over anyone targeting EU consumers.

Even though the Directive was technology neutral, it could not keep pace with technology and globalisation. The Commission launched a review in 2009, set out a strategy in 2010, and proposed the GDPR in January 2012 as a comprehensive reform imposing a single set of rules. After a trilogue between the Commission, Parliament and Council, the GDPR entered into force May 2016 and became fully enforceable 25 May 2018.

Directive vs Regulation - why the GDPR is a regulation
Feature	Directive (95/46/EC)	Regulation (GDPR)
Legal effect	Binding as to result; states choose form and method	Binding in its entirety, directly applicable
Transposition	Must be transposed into national law	No transposition needed
Consistency	Divergent national implementations	Maximises consistency (but states may add specific rules)
Status	Repealed by the GDPR	Current EU law

A regulation is binding in its entirety and applies directly to all member states on entry into force, without transposition, to maximise consistency. But the GDPR allows member states to enact more specific rules in some situations, so some divergence remains. Examples include sector-specific employee data rules, archiving/research/statistics, processing of special categories of personal data, and processing under a legal obligation.

Stronger rights for individuals, especially online
Data protection by design and by default
Accountability - organisations must demonstrate compliance
Increased powers for supervisory authorities
The one-stop shop
Broader applicability to anyone targeting EU consumers

Key terms - quick answers

What is “GDPR”?

Regulation (EU) 2016/679; entered into force May 2016, fully enforceable 25 May 2018; replaced Directive 95/46/EC.

What is “Regulation”?

EU legislation binding in its entirety and directly applicable in all member states without needing transposition into national law.

What is “Trilogue”?

The negotiation between the European Commission, European Parliament and Council of the EU that produced the agreed GDPR text.

What is “Data protection by design and by default”?

GDPR requirement that data protection be considered when new technologies are developed.

← Treaty of Lisbon Convention 108+ →