European Union Data Privacy Law Reform:General Data Protection Regulation, PrivacyShield, and the Right to Delisting
By W. Gregory Voss*
I. I
Some of the most significant European data privacy law developments that haveemerged since the European Union adopted the Data Protection Directive
in1995 occurred during the past year. These include the adoption of the EuropeanUnion’s General Data Protection Regulation (“GDPR”),
the invalidation by the
 decision of the U.S.–EU Safe Harbor cross-border data-transfer frame-work,
and the subsequent replacement of the Safe Harbor framework with theEU-U.S. Privacy Shield.
The “right to delisting,” which the 2014
 Google Spain
 de-cision created, also experienced continued development.
This survey reviews theGDPR’s main provisions—arguably the most important recent development—andthen discusses the other developments noted above.
On April 27, 2016, the European Union finally adopted the GDPR, more thanfour years after the European Commission proposed it. The regulation came into
* W. Gregory Voss is a professor of business law at Toulouse University, Toulouse BusinessSchool, and an associate member of the Institut de Recherche en Droit Europe´en International etCompare´ (IRDEIC) in Toulouse, France.1. Council Directive 95/46, 1995 O.J. (L 281) 31 (EC) [hereinafter Directive 95/46].2. Commission Regulation 2016/679 of 27 Apr. 2016 on the Protection of Natural Persons withRegard to the Processing of Personal Data and on the Free Movement of Such Data, and RepealingDirective 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU) [hereinafterGDPR].3. Case C-362/14, Schrems v. Data Prot. Comm’r (Oct. 6, 2015),
 Transatlantic Data Flows: Restoring Trust Through Strong Safeguards
, COM (2016) 117 final (Feb. 29,2016) [hereinafter
 Transatlantic Data Flows
].5. Case C-131/12, Google Spain SL v. Agencia Espan˜ola de Proteccio´n de Datos (AEPD), 2014E.C.R. 317, Here,the term “right to delisting” has been preferred as the specific reference to one of the forms of the“right to be forgotten,” as proposed in Voss and Castets-Renard’s taxonomy.
 W. Gregory Voss& Ce´line Castets-Renard,
 Proposal for an International Taxonomy on the Various Forms of the “Rightto Be Forgotten”: A Study on the Convergence of Norms
, 14 C
. T
. L.J. 281, 325–27 (2016).
force on May 24, 2016,
and it will become applicable starting May 25, 2018,
when it will repeal the current Data Protection Directive.
This gives companiesuntil May 2018 to adapt to its new provisions.European Union data protection law protects individuals (natural persons, asopposed to corporate entities or legal persons), which it refers to as “data subjects,”with respect to their personal data processing.
The GDPR defines both “process-ing” and “personal data” broadly and in adherence with the Data Protection Direc-tive, even though it reorganizes and updates the Data Protection Directive’s defi-nitions. Processing with respect to personal data may include, but is not limitedto, the following: “collection, recording, organisation, structuring, storage, adapta-tion or alteration, retrieval, consultation, use, disclosure by transmission, dissemi-nation or otherwise making available, alignment or combination, restriction, era-sure or destruction.”
The relevant personal data are “any information relating toan identified or identifiable natural person (‘data subject’),” and may include loca-tion data, online identifiers, and other forms of information that may be used toidentify a data subject directly or indirectly, in addition to classic identifyingdata such as names and identification numbers.
The following sections address a few of the GDPR provisions that differ signif-icantly from the Data Protection Directive and are important for businesses.
 A. T
The GDPR’s territorial scope is larger than that of the Data Protection Direc-tive. The personal data processing place no longer controls the analysis; instead,under the GDPR, processing merely must occur “in the context of the activities of an establishment of a controller or a processor in the Union,” a definition thatexpands the analysis to include the activities of the processor that processes per-sonal data on behalf of the data controller.
The GDPR also applies to the “pro-cessing of personal data of data subjects who are in the [European] Union by acontroller or processor not established in the [European] Union” so long as theprocessing is related to “the offering of goods or services, irrespective of whethera payment of the data subject is required, to such data subjects in the Union” orthe monitoring of such data subjects’ behavior “as far as their behaviour takes
6. GDPR,
 note 2, art. 99(1), at 87 (“This regulation shall enter into force on the twentiethday following that of its publication in the
 Official Journal of the European Union
.”). The date of itspublication in the
 Official Journal of the European Union
 was May 4, 2016.7.
. art. 99(2), at 87.8.
. art. 94(1), at 86.9.
. art. 1(1)–(2), at 32;
. art. 4(1), at 33.10.
. art. 4(2), at 33.
 Directive 95/46,
 note 1, art. 2(b), at 38 (defining “processingof personal data”).11. GDPR,
 note 2, art. 4(1), at 33.
 Directive 95/46,
 note 1, art. 2(a), at 38(defining “personal data”).12. GDPR,
 note 2, art. 3(1), at 32.
 Directive 95/46,
 note 1, art. 3, at 39 (ad-dressing scope). The consideration of a processor’s activities in determining the territorial scope of theGDPR reflects the greater accountability of processors under the GDPR, when compared to the DataProtection Directive.
 The Business Lawyer; Vol. 72, Winter 2016–2017
place within the [European] Union.”
For example, the GDPR applies to a U.S.provider’s cloud-based-services offering to individuals in the European Union,even where the offering requires no payment and the provider has no establish-ment in the European Union, to the extent that the offering involves processingthose individuals’ personal data.
B. P
 Although the GDPR’s personal data processing principles are similar to thosein the Data Protection Directive, there are a few differences. For example, theGDPR explicitly requires data to be processed “in a transparent manner,” butthe Data Protection Directive only implicitly requires transparency.
In addi-tion, the GDPR specifies that inaccurate data must be erased or rectified “withoutdelay,”
adding a time element to the “accuracy” principle already contained inthe Data Protection Directive. Finally, the “accountability” principle requires thecontroller to be able to demonstrate compliance with the other personal dataprocessing principles.
This latter provision ties into the new GDPR record-keeping obligations discussed in Section II.G.
C. S
, S
The GDPR also amends the “storage limitation” principle. Whereas the DataProtection Directive allowed Member States to determine personal data storageperiods for “historical, statistical or scientific use,”
the GDPR establishes a spe-cific regime for personal data processing “for archiving purposes in the publicinterest, scientific or historical research purposes or statistical purposes.”
It ex-empts such data from the general requirement that personal data may only bekept in identifiable form “for no longer than is necessary for the purposes forwhich the[y] . . . are processed.”
Instead, the data may be stored for longer pe-riods subject to “implementation of the appropriate technical and organisationalmeasures required . . . to safeguard the rights and freedoms of the data subject.”
These measures implement the “data minimization” principle, and they may in-clude the use of pseudonymization (for de-identification), where relevant.
In addition, the GDPR allows Member States or the European Union to dero-gate from a data subject’s rights to access or correct his or her personal data, and
13. GDPR,
 note 2, art. 3(2), at 33.14. GDPR,
 note 2, art. 5(1)(a), at 35 (“processed lawfully, fairly and in a transparent man-ner”).
 Directive 95/46,
 note 1, art. 6(1)(a), at 40 (“processed fairly and lawfully”).15. GDPR,
 note 2, art. 5(1)(d), at 35.
 Directive 95/46,
 note 1, art. 6(1)(d),at 40.16. GDPR,
 note 2, art. 5(2), at 36.17. Directive 95/46,
 note 1, art. 6(1)(e), at 40.18. GDPR,
 note 2, art. 5(1)(e), at 36.19.
. art. 89(1), at 84–85.
European Union Data Privacy Law Reform
object to or restrict its processing, where the derogation is for scientific or his-torical research purpose—or statistical purposes if the data subject’s exerciseof such rights is “likely to render impossible or seriously impair the achievementof the specific purposes,”
subject to the safeguards mentioned above. Anotherprovision permits certain derogations for archiving purposes in the public inter-est.
 Where the processing has multiple purposes, the derogation will only apply to the corresponding purposes.
D. L
, I
The GDPR retains the requirement that a legitimate basis must exist in orderfor personal data processing to be lawful.
It further develops the “purpose lim-itation” principle, allowing the controller to evaluate whether personal data pro-cessing for a purpose other than the one for which the data were srcinally col-lected enjoys such a basis, where it is not based on the law or the data subject’sconsent. This compatibility determination considers, among other things, linksbetween the two purposes, context (including the relationship between thedata subject and the controller), the data’s nature (specifically, whether specialdata categories are involved), possible consequences for the data subject, andthe existence of “appropriate safeguards,” which could include data encryptionor pseudonymization.
 Where consent is the processing basis, it must be unambiguous. The Data Pro-tection Directive provided that “the data subject’s consent” meant “any freely given specific and informed indication of his wishes by which the data subjectsignifies his agreement to personal data relating to him being processed.”
The GDPR similarly defines data subject “consent” but provides the additionalrequirement that the data subject’s wishes be “unambiguous” and manifested“by a statement or by a clear affirmative action.”
The GDPR sets out additional conditions for such consent beyond those con-tained in the Data Protection Directive, including a requirement that the control-ler be able to demonstrate that the data subject has given his or her consent.
If a declaration that covers other matters contains a consent request, the requestmust be clearly written and distinguishable from those matters, with one riskfor non-compliance being that the declaration’s consent request will be non-binding.
These requirements encourage good recordkeeping and proper docu-ment drafting.
. art. 89(2), at 85.23.
. art. 89(3), at 85.24.
. art. 89(4), at 85.25.
. art. 6, at 36–37.
 Directive 95/46,
 note 1, art. 7(f), at 40 (“[P]ersonal datamay be processed only if . . . processing is necessary for the purposes of the
 interests pur-sued by the controller or by the third party . . . .”) (emphasis added).26. GDPR,
 note 2, art. 6(4), at 37.27. Directive 95/46,
 note 1, art. 2(h), at 39.28. GDPR,
 note 2, art. 4(11), at 34.29.
. art. 7(1), at 37.30.
. art. 7(2), at 37.
 The Business Lawyer; Vol. 72, Winter 2016–2017
Under the GDPR, data subjects also must be informed of their right to with-draw consent prospectively, and this right must be as easy to exercise as it wasfor the data subject to initially give consent.
 When determining whether a datasubject has freely given consent, a reviewing authority will take “utmost account”of whether contract performance (including for a service) “is conditional on con-sent to the processing of personal data that is not necessary for the performanceof that contract.”
Finally, where a child under sixteen years old is concerned,processing is lawful only if “the holder of parental responsibility over the child”gives or authorizes consent. Member States may lower this age threshold to nolower than thirteen.
The controller must make reasonable efforts to verify that any such holder has given or authorized consent.
E. D
The GDPR requires transparency in the provision of information to data sub- jects about their rights and the means of exercising them.
This requirement ap-plies regardless of whether data are collected directly from the data subject
orindirectly from a third party.
Under the GDPR, data subjects continue to benefitfrom rights they had under the Data Protection Directive, such as the right to ac-cess,
the right to object to processing (which they may exercise at any time whenthe processing is for direct-marketing purposes),
and from the transparency- andaccuracy-principle requirements discussed above, as well as the related right torectification “without undue delay.”
 A data subject has the right not to be subjectto a “decision based solely on automated processing including profiling, whichproduces legal effects concerning him or her or . . . significantly affects him orher,” subject to certain exceptions, such as where the data subject provides explicitconsent or where automated processing is necessary for a contract between thecontroller and the data subject.
The GDPR creates several new rights for data subjects beyond those providedby the Data Protection Directive. First, it creates a “[r]ight to erasure (‘right to beforgotten’).”
This right is often dependent on the data subject meeting the cri-teria set out in the relevant clause (e.g., it is subject to there being no overridinglegitimate grounds for the processing, where the data subject exercises his or
. art. 7(3), at 37.32.
. art. 7(4), at 37.33.
. art. 8(1), at 37. The age sixteen threshold specified in this provision does not affect thegeneral law relating to the legal capacity of a child to enter a contract.
. art. 8(3), at 38.34.
. art. 8(2), at 38.35.
. art. 12, at 39–40.36.
. art. 13, at 40–41.37.
. art. 14, at 41–42.38.
. art. 15, at 43.
 Directive 95/46,
 note 1, art. 12, at 42.39. GDPR,
 note 2, art. 21, at 45–46.
 Directive 95/46,
 note 1, art. 14, at 42–43.40. GDPR,
 note 2, art. 16, at 43.
 Directive 95/46,
 note 1, art. 12(b), at 42.41. GDPR,
 note 2, art. 22, at 46.
 Directive 95/46,
 note 1, art. 15, at 43.42. GDPR,
 note 2, art. 17, at 43–44;
 see also
 Voss & Castets-Renard,
 note 5, at 297–98,334–36 (terming the “right to be forgotten” as including a “right to digital oblivion”).
European Union Data Privacy Law Reform
of 14