THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology, and Society (TILT) Tilburg University, Netherlands https://www.tilburguniversity.edu/webwijs/show/b.vdrsloot/

Overview (1) Fundamental right (2) Material provisions (3) Regulation within the EU (4) Transfer of Data

(1) Fundamental right European Convention on Human Rights 1950 ARTICLE 8 Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

(1) Fundamental right CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION, adopted in 2000, came into force in 2009 Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

(1) Fundamental right TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION Article 16 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

(1) Fundamental right Council of Europe: RESOLUTION (73) 22 ON THE PROTECTION OF THE PRIVACY OF INDIVIDUALS VIS-A-VIS ELECTRONIC DATA BANKS IN THE PRIVATE SECTOR Council of Europe: RESOLUTION (74) 29 ON THE PROTECTION OF THE PRIVACY OF INDIVIDUALS VIS-A-VIS ELECTRONIC DATA BANKS IN THE PUBLIC SECTOR Council of Europe: 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data European Union 1995: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data European Union 2016: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

(2) Material provisions Directive Regulation Right to be informed Right to access data Right to correct Right to object Right to resist automatic decion making Right to resist profiling Right to be forgotten Right to data portability

(2) Material provisions Directive Regulation Transparancy Data Quality Security and confidentiality Accountability Data Protection by Design and by Default Privacy Impact Assessements Data Protection Officer Documentation

(2) Material provisions Directive Regulation Remedies Right to lodge a complaint with a supervisory authority Liability Right to an effective judicial remedy against a supervisory authority Sanctions Right to an effective judicial remedy against a controller or processor Representation of data subjects Right to compensation and liability Administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher

(3) Regulation within the EU Directive > Regulation DPAs > Lead authority Working Party 29 > European Data Protection Board National States > European Commission European Commission > Court of Justice (Digital Rights)

(4) Transfer of Data Google Spain Schrems Regulation Article 3 Territorial scope 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.