EU GDPR comes into force

Europe-wide data protection legislation becomes law on Friday with the aim of allowing citizens to have greater control over how their data is stored and managed by third parties.
Photo credit: Nolan PR

Discussions began six years ago and attracted high attention from a multitude of stakeholders due to its broad impact on Europe’s and even the world’s digital economy.

It is the biggest overhaul of data protection legislation in over 20 years and will ensure that people know how their data is being used and have control over it. 

There are concerns, however, that small and medium sized businesses will struggle to cope with the burden of the new measures.


The new EU data protection rules seek to strengthen citizens’ rights and simplifying rules for companies in an increasingly data-driven world.

The general data protection regulation (GDPR) was adopted in April 2016 and means a citizen has to give their clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about who is processing the data.

A citizen can ask for their data to be deleted, has the right to transfer data to another service provider and also has the right to know when data has been hacked.

The new rules apply to all companies operating in the EU, even if these companies are based outside of the EU.

It will be possible to impose measures, such as warnings and orders, or fines on firms that are breaking the new rules. The maximum ceiling for fines in the most serious infringement cases is four per cent of the company’s total worldwide annual turnover.

Speaking on Friday, Parliament’s rapporteur on the GDPR dossier, Jan Albrecht, said, “With the GDPR, the European Union sets a global standard and ensures that fundamental rights, consumer protection and fair competition are strengthened. 

“For the first time, the same high level of data protection rules applies to everyone in the European Union; the new EU-wide rules replace a patchwork of 28 different national regulations.”

Justice Commissioner Věra Jourová said, "As of today GDPR is on. The recent Facebook and Cambridge Analytica revelations were a wake-up call. They showed that, in the digital age, strong personal data protection rules area necessity, not a luxury."

European Parliament President Antonio Tajani said, "This is the biggest reform of privacy legislation since the birth of the internet. It is a decisive step to protect our citizens by allowing them to use the network with serenity and freedom.

"Once again, Parliament has played a central role in defining and approving state-of-the-art standards. We certainly do not intend to stop here. Our priority is to achieve true governance of the technological revolution, introducing an appropriate framework of rules as soon as possible. We need to see clear responsibilities for operators and to ensure the proper functioning of the digital market, with a fair tax, and the full protection of personal data, copyright and consumer rights."

EPP group leader Manfred Weber said it was “great that Europe is setting standards worldwide”, while his group colleague Viviane Reding – who, as a Commissioner, introduced GDPR – said,

“We did it. We have become standard setters. Thank you Jan Albrecht for the tremendous work you’ve done, thank you to our EU staff and legal experts.”

However, Sophie in ‘t Veld, who was Parliament’s ALDE group shadow rapporteur on the GDPR dossier, cautioned, “Amid the GDPR celebrations let’s not forget that other leg of the data protection package, the directive that protects our data when being used by the police. State of implementation by member states on the deadline of May 2018: close to zero.”

Further comment came from ECR group MEP Dan Dalton who said, “GDPR is a big step forward, but it is untested. Big companies and online platforms have the means to adapt to these changes, but smaller ones are struggling to do so. That’s why the EU must adopt a wait and see approach before legislating any further.  Consumers want strong data protection rules, but this shouldn’t be incompatible with innovation or ensuring online services remain free.

“The EU must take a soft-touch approach in the early stages of GDPR. Everybody needs time to adapt and a grace period is necessary to ensure that companies and online platforms are given a chance before litigation or big fines. When policymakers legislate such an overhaul of the rules, we must understand that this takes time and there will be false starts early on.”   

Elsewhere, GUE/NGL group shadow rapporteur Cornelia Ernst said, “After a long back and forth, and without forgetting the impact of Edward Snowden’s case, it was possible to find a parliamentary majority in support of a modern data protection regulation in the EU. Between the NSA scandal and the case of Cambridge Analytica five years have passed. 

“The half-baked hearing of Facebook CEO Marc Zuckerberg proves that a new set of rules for the protection of personal data is not only badly needed but long overdue.”

“This regulation will assure minimum technical standards by making companies build data protection into the new products and services they design (privacy-by-design and privacy-by-default). As for companies that process information in a large-scale, the regulation is unambiguous, those who do not abide by the rules, will be asked to pay and it won’t be little.”



Read the most recent articles written by Martin Banks and Julie Levy-Abegnoli - Parliament approves controversial EU copyright reform

Share this page