As a regulation, the General Data Protection Regulation (GDPR) and its rules are directly applicable in the EU Member States – as opposed to the rules established in the former Data Protection Directive, which needed transposition into national laws, having led to a fragmented situation throughout the EU Member States.
Thus, data protection has become a fundamental right under EU law, recognised by the Treaty on the Functioning of the European Union and the EU Charter of Fundamental Rights since the Lisbon Treaty.
The current EU rules on data protection in Directive 95/46/EC date back to 1995. With the GDPR the protection of personal data is supposed to be adapted to the digital era.
From a consumer perspective, some of the changes the GDPR includes are a right to transfer data to another service provider (data portability), the right to be notified of a data breach, and the requirement to explain privacy policies in clear and understandable language, stronger enforcement. Firms may face fines up to 4% of firms’ total worldwide annual turnover for breaking the data protection rules. In addition, the GDPR incorporates additional principles relating to processing of data (transparency, integrity and confidentiality, and accountability), as well as more detailed conditions for consent, and there is a particular article regarding child's consent in relation to information society services. New is also the obligation to designate a data protection officer for organisations under certain circumstances, e.g. if the organisation’s core activities consist of processing of personal data involving regular and systematic monitoring of data subjects on a large scale. In addition, now there is an article about data protection by design and by default, and a “one stop shop” mechanism for the competence of the supervisory authority: in principle, the authority of the main establishment or of the single establishment shall be competent to act as lead supervisory authority for the cross-border processing of personal data. Furthermore, the territorial scope of the Regulation now ranges beyond activities of a controller or processor in the EU, as it is applicable to those outside the EU too should they offer goods or services within the EU, or should they monitor behaviour to the extent that the behaviour takes place in the EU.