Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The European Union general data protection regulation: what it is and what it means

Chris Jay Hoofnagle, Bart van der Sloot, Frederik Zuiderveen Borgesius

TL;DR

The paper analyzes the EU GDPR as a comprehensive, strategic framework for personal data regulation that extends beyond US privacy approaches. It situates the GDPR within Europe’s constitutional commitments to data protection, contrasts it with the U.S. model, and explains its enforcement-oriented architecture and extraterritorial reach. It emphasizes how the GDPR promotes data governance, accountability, and human-in-the-loop decision making, while restricting certain data practices and accelerating the role of first-party data relationships. The work highlights the GDPR’s global impact on data practices, its implications for business models, and its ongoing regulatory evolution.

Abstract

This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union's General Data Protection Regulation ('GDPR'). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR's approach and provisions; and make predictions about the GDPR's implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

The European Union general data protection regulation: what it is and what it means

TL;DR

The paper analyzes the EU GDPR as a comprehensive, strategic framework for personal data regulation that extends beyond US privacy approaches. It situates the GDPR within Europe’s constitutional commitments to data protection, contrasts it with the U.S. model, and explains its enforcement-oriented architecture and extraterritorial reach. It emphasizes how the GDPR promotes data governance, accountability, and human-in-the-loop decision making, while restricting certain data practices and accelerating the role of first-party data relationships. The work highlights the GDPR’s global impact on data practices, its implications for business models, and its ongoing regulatory evolution.

Abstract

This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union's General Data Protection Regulation ('GDPR'). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR's approach and provisions; and make predictions about the GDPR's implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Paper Structure

This paper contains 12 sections.

Table of Contents

  1. Introduction
  2. The GDPR's strategic implications
  3. Roadmap
  4. Background to the GDPR
  5. When does the GDPR apply?
  6. Personal data and processing
  7. Who is accountable for upholding the GDPR requirements?
  8. The GDPR's extraterritoriality
  9. What are the exceptions from the application of the GDPR?
  10. Lawful data activities under the GDPR
  11. Adherence to Europeanized FIPs
  12. The legal basis for processing personal data