It is an essential principle of the law not only in the United States of America but throughout a multitude of nations globally that an individual has the superior right to his/her personal property. Whether it be a car, a coat or a television, an individual who owns that item also owns various legal rights attendant to that item. The right to exclude people from using one’s property, the right to permit others to use one’s property, and the right to alienate or otherwise to control one’s property are merely a few of the rights associated with personal property in nearly all legal systems throughout the world. The law, however, has been slow in many respects to account for the most unique, personal variety of personal property which is our personal information.
That lack of legal authority concerning ownership of personal information has changed significantly with the recent enactment of the General Data Protection Regulation (the “GDPR”) in the European Union (the “EU”). In a broad sense, the GDPR has given EU residents power over their personal information. The GDPR bill, which was passed in 2016 and took effect in May of 2018, grants EU residents substantial rights with regard to their personal information. Those rights include:
- Right to be forgotten;
- Right to access; and
- Right to data portability.
Those rights listed above afford EU residents the ability to have their personal information erased, disclosed, or transferred by a company who possesses, has control, or otherwise processes that information. The GDPR also places a heavy burden on companies engaged in the collection, maintenance, and use of personal information.
The GDPR has been a topic of controversy due to the ambiguity surrounding its scope and whether the EU will be able to exercise extraterritorial jurisdiction based on the obligations outlined in the GDPR applying to personal information of all EU residents, notwithstanding where those EU residents might be located at any given time (Example: an EU resident/student studying abroad for a semester in the United States who provides his/her personal information to an American retailer on a trip to the mall). While there is significant validity to that argument that the EU does not have the power to burden companies in non-member countries located on the other side of the globe, that does not reduce the necessity for companies across the world to take note and to address GDPR compliance in the near term. That is especially the case because the GDPR, while wide reaching itself under its express provisions, has sparked the introduction and passage of many laws around the globe concerning data privacy regulation. These policies resemblance to the GDPR displays that the GDPR has set the standard for what data privacy regulation and compliance will be moving forward.