February 2018 – Over the past decade, our economy has been increasingly shaped by the development of digital technology. The growing use of data in the development of innovative business models (smart cities, connected objects, artificial intelligence, open data, etc.) reflects a new industrial revolution: the data economy.

Against this backdrop, the European institutions felt it essential to update the 1995 legislation (Directive 95/46/EC of October 24, 1995) on personal data protection, in order to adapt it to new uses and technological developments. Proposed by the European Commission in 2012, the global reform of data protection rules finally led to the adoption of a new regulatory framework after four years of negotiations between the European Parliament, the Council and the European Commission. The new Regulation was formally approved by the institutions and published in the Official Journal of the European Union on May 4, 2016.

It is directly applicable in every member state, with no need for transposition. On the other hand, it has the particularity of coming into force two years after the date of its publication in the Official Journal, i.e. May 25, 2018.

Companies have therefore had two years to comply with the new measures set out in the European Regulation. During this period, the European Commission and the authorities in charge of personal data protection organized awareness-raising operations aimed at explaining these new regulations to the various players concerned (citizens, companies, public bodies…).

In addition to harmonizing European legislation, the European Regulation gives citizens back control over their personal data, while also modifying the regulatory environment for businesses, with the aim of fostering innovation. In this respect, data protection reform is an essential component of the digital single market.

In addition to this general framework, a draft “ePrivacy” Regulation on privacy and electronic communications is due for completion between 2019 and 2020. Its aim is to repeal Directive 2002/58 of July 12, 2002, and harmonize Member States’ legislation on the confidentiality of electronic communications.

The case law of the Court of Justice of the European Union has also fueled the debate on strengthening personal data protection. It has, for example, declared the invalidity of Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services. In May 2014, it recognized the right of any person to obtain from a search engine the dereferencing of information.

The Court also invalidated the European Commission’s adequacy decision allowing the transfer of personal data to the United States under the “Safe harbor” safe harbor. A new agreement called the “Privacy Shield” aimed at framing transfers of personal data across the Atlantic while respecting the fundamental rights of European citizens was also concluded with the American authorities in July 2016. The first annual report, published in October 2017, reveals that the arrangement ensures an adequate level of protection. However, the European Commission is calling for additional safeguards to be put in place, and has drawn up a list of recommendations along these lines, including the establishment of a rights defender, the monitoring of US companies’ compliance with the Privacy Shield, and improved cooperation between the US and European supervisory authorities.

This guide focuses primarily on the European Data Protection Regulation. Its aim is to review the main provisions enshrined in this new legislative framework, and to shed practical light on their implementation.

We hope you enjoy reading it.