The European General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, and replaces the European Data Protection Directive from 1995. More and more people talk about it everyday and there are many myths in circulation. In this article, we debunk three of them.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
Myth 1: The GDPR provides identical data protection for all EU member states
Wrong. The keyword here is harmonization: One of the goals of the GDPR is to harmonize some data protection aspects “to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States” (GDPR, Recital 10). In other words, the GDPR is like a foundation for data protection in the EU.
However, the GDPR “provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data” (GDPR, Recital 10). These so-called opening clauses allow each member state to add additional regulations or modify some rules defined in the GDPR. For example, in Austria there is the “Datenschutz-Anpassungsgesetz 2018” which revises the current “Datenschutzgesetz 2000” or in Germany there is a new version of the “Bundesdatenschutzgesetz”. These national laws differ from country to country even when the GDPR becomes enforceable.
Additionally, you have to keep in mind that these national laws and the GDPR aren't the only regulations which deal with data protection. There are dozens of other laws and regulations addressing the broad topic data protection.
Myth 2: Private individuals don't have to comply with the GDPR
Wrong. Some people seem to be absolutely convinced that the GDPR only affects companies and authorities. However, private individuals also have to comply with the GDPR. There is an exception, though: The GDPR “does not apply to the processing of personal data […] by a natural person in the course of a purely personal or household activity” (GDPR, Article 2).
This means that private individuals must comply with the GDPR when they are processing personal data of other natural persons for non-personal activities. Of course, “non-personal activities” is a matter of interpretation. However, is a website “purely personal” when it promotes products/services or embeds advertisements to make money? This is very questionable.
In the past, lawyers often interpreted “purely personal” very strictly. For example, using e-mail addresses of your friends to forward an advertisement could already be categorized as “non-personal” processing of personal data.
Fun fact: Most national data protection laws already include this “purely personal or household activity” constraint (e.g., Austrian DSG 2000, German BDSG, Czech Act No. 101 / 2000 Coll.). This isn't a totally new aspect of the GDPR.
Myth 3: Private individuals can sue their friends for discompliance
Wrong. This opinion is the opposite of myth 2: People saying that they will sue you if you use services like WhatsApp because you shared their phone number with the company.
Keep in mind: The GDPR “does not apply to the processing of personal data […] by a natural person in the course of a purely personal or household activity” (GDPR, Article 2). This means that the GDPR—and most national data protection laws—don't apply if you process personal data of your family members or friends for “purely personal” purposes.
Follow us on Mastodon:
Conclusion and further information
No, data protection won't be 100% identical in all EU member states soon and many aspects of the GDPR are already part of previous national laws. Moreover, don't assume that reading the GDPR is enough to get to know every aspect of data protection in the EU.
You should also keep in mind that:
- the term “processing” within the scope of the GDPR means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as”:
- adaptation or alteration
- disclosure by transmission
- dissemination or otherwise making available
- alignment or combination
- erasure or destruction
- the GDPR doesn't define technical aspects of data protection. For example, Article 32 mentions “encryption of personal data”, however, there are no minimum requirements like “use AES-256” defined.
- there is another upcoming regulation (ePrivacy Regulation) which will replace the European “Regulation on Privacy and Electronic Communications” from 2002. This regulation focuses on electronic communications data that qualify as personal data.
In the meantime, we published a second article debunking GDPR myths.