The European Union General Data Protection Regulation (GDPR) (Apr. 27, 2016), replaces the Data Protection Directive. The GDPR provides requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States.

The reforms gives European consumers rights and control over their personal information and imposes obligations on businesses to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality.

The rules empower individuals by, among other things:

  1. Providing easier access to personal data and more information on how data is processed,
  2. Facilitating data portability, or transfers of personal data between service providers,
  3. Clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and
  4. Requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.