GDPR – Where did that come from?

Murgova & Partners Attorneys at Law | View firm profile

Owing to our hard work on matters, related to
the GDPR by assisting our clients with regard to the new policies required, we thought
it would be interesting to highlight the ideas and grounds, hidden behind the
new data protection requirement. Lately we've been working for companies,
striving to become compliant with the new Regulation, which already entered into
force on 25th of May 2018. The article draws attention to the
relevant consecutive ongoings, which describe the necessity of a regulation,
containing the best principles from the previous ones on the one hand, and
guaranteeing adequate level of protection on the other.

At the base stand the so called "International Safe
Harbor Privacy Principles", established at the end of 20th/sup> century,
which seek to prevent the organizations located in the EU or USA who store
customer data from accidentally disclosing or losing personal information. As a
consequence of these Principles, the US Department of Commerce developed a privacy
framework to correspond with the EU data protection legislation. In the year
2000, the EU Commission adopted a decision, which confirmed that the US
companies guarantee the minimum level of protection when it comes to the usage
of personal information of EU citizens. In other words the "Safe Harbour
decision" stipulates that the United States' principles did comply with
the EU Directive from 1995, known as Data Protection Directive.

And here come the most enthralling facts, which we will briefly summarize. In 2011,
the Austrian student Maximilian Schrems, while studying law during a semester
abroad at Santa Clara University in Silicon Valley, USA, made a request under
the European "right to access" provision for Facebook's record on him
and received a CD containing over 1,200 pages of personal data. All of the
information had been transferred from Facebook's Irish subsidiary to servers
located in the United States, where it was processed. If you ask why Facebook
established a subsidiary of the company in Ireland and set up its international
headquarters in Dublin, the answer is simple – to get access to the EU market
and to benefit from the low Irish corporate tax rates. However, Max Schrems
filed a first round of complaints against the company with the Irish Data
Protection Commissioner in 2011. Later on, Schrems lodged a subsequent complaint
with the Irish supervisory authority (the Data Protection Commissioner), taking
the view that, in the light of the revelations made in 2013 by Edward Snowden,
concerning the activities of the United States intelligence services (in
particular the National Security Agency), the law and practice of the United
States do not offer sufficient protection against surveillance by the public
authorities of the data transferred to that country.

On October, 6th 2015, The Court of Justice, in its decision №
C-362/14 declared that the
Commission's US Safe Harbour Decision is invalid. Right after the court's
decision, a huge legal gap appeared. The transatlantic exchanges of personal
data for commercial purposes between the European Union and the United States
had to be somehow regulated. The EU-US Privacy Shield as a replacement for the
International Safe Harbor Privacy Principles was approved in its final version by
EU Member States representatives on July, 8th 2016. The Privacy
Shield Frameworks were designed by the U.S. Department of Commerce and the
European Commission to provide companies on both sides of the Atlantic with a
mechanism to comply with data protection requirements when transferring
personal data from the European Union and Switzerland to the United States in
support of transatlantic commerce.

On April, 14th 2016 the GDPR was approved and the enforcement date set
for May 25th 2018. The new Regulation replaces the Data Protection
Directive from 1995 and aims to harmonize data privacy laws across EU, to
protect and empower all EU citizens' data privacy and to reshape the way
organizations across the region approach data privacy. An interesting fact is
that literally days before the enforcement of GDPR, The Facebook-Cambridge
Analytica data scandal involved the collection of personally identifiable
information of up to 87 million Facebook users. This popped up like a hot topic
that paved the way of the Regulation.

The challenges companies are facing in connection to the implementation of the
Regulation require a revision of data processing policies and establishment of
measures to achieve compliance with the new rules. This will inevitably lead to
the necessity of a team of experts who will need to combine their professional
skills in various areas such as legal, IT, project management and compliance. When
companies do not have the internal resources and methodology, it is advisable
to engage outside experts and consultants who can assist throughout the process.

"Murgova and partners" Attorneys at law have already provided
GDPR compliance services to a number of clients and we are working hard on the
implementation of all requirements of the GDPR. This handled by our team of
legal experts, working closely with our IT partners.    

"Murgova &
Attorneys at

More from Murgova & Partners Attorneys at Law