Old Wine with a New Label: Rights of Data Subjects Under GDPR

Abstract

Recent reforms in the data privacy protection framework in the European Union have led to the enactment of the General Data Protection Regulation (GDPR). However, it remains debatable whether the GDPR will lead to significant improvements in the protection of the privacy rights of individuals, which are always classified as fundamental rights. The advent of technology, the movement of data across geographical barriers, and the outsourcing of data processing jobs to countries outside the EU necessitated the enactment of the GDPR. Although some of the provisions of the GDPR remain generically similar to analogous provisions in the 1995 Data Protection Directive, the GDPR differs in some respects. As a “Regulation,” not a “Directive,” the GDPR is better equipped to overcome the problem of harmonization across the EU member-states. Furthermore, the GDPR incorporates the ‘right to be forgotten,’ clarifies and fortifies the concept of consent, provides data protection by design and default, increases the accountability of data controllers, and expands the jurisdictional scope of the Directive to include some extra-territorial (i.e., non-EU) data processors and controllers. It remains to be seen whether the GDPR is an old wine with the new label or something new in a wine bottle.