The European Union General Data Protection Regulation: What It Is And What It Means

40 Pages Posted: 16 Oct 2018  

Chris Jay Hoofnagle

University of California, Berkeley - School of Information; University of California, Berkeley - School of Law

Bart van der Sloot

Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT)

Frederik Zuiderveen Borgesius

University of Amsterdam - IViR Institute for Information Law (IViR)

Date Written: September 24, 2018

Abstract

This article introduces U.S. lawyers and academics to the normative foundations, attributes, and strategic approach to regulating personal data advanced by the European Union’s General Data Protection Regulation (“GDPR”). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s short and medium-term implications. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed and protective regulatory regime, which will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Keywords: Privacy, Data Protection, EU, European Union, General Data Protection Regulation, GDPR, Information Privacy, Consumer Privacy

JEL Classification: K12, K00, D10, D11, D20, D30, D40, D60, D70, L00, L11, L20, L51

Suggested Citation

Hoofnagle, Chris Jay and van der Sloot, Bart and Zuiderveen Borgesius, Frederik, The European Union General Data Protection Regulation: What It Is And What It Means (September 24, 2018). Available at SSRN: https://ssrn.com/abstract=3254511 or http://dx.doi.org/10.2139/ssrn.3254511

Chris Jay Hoofnagle

University of California, Berkeley - School of Information ( email )

212 South Hall
Berkeley, CA 94720-4600
United States
510-643-0213 (Phone)

HOME PAGE: http://hoofnagle.berkeley.edu

University of California, Berkeley - School of Law ( email )

344 Boalt Hall
Berkeley, CA 94720-7200
United States
510-643-0213 (Phone)

HOME PAGE: http://hoofnagle.berkeley.edu

Bart Van der Sloot

Tilburg University - Tilburg Institute for Law, Technology, and Society (TILT) ( email )

P.O.Box 90153
Prof. Cobbenhagenlaan 221
Tilburg, 5037
Netherlands

Frederik Zuiderveen Borgesius (Contact Author)

University of Amsterdam - IViR Institute for Information Law (IViR) ( email )

Amsterdam
Netherlands

HOME PAGE: http://www.ivir.nl/employee/zuiderveen-borgesius/

Register to save articles to
your library

Register

Paper statistics

Downloads
154
rank
178,197
Abstract Views
790
PlumX