The analysis of the establishment of the general data protection regulation and the aftermath of the expansion of the extraterritorial scope for non-EU countries

Abstract

In May 2018, the new European Union data protection law took effect, known as the General Data Protection Regulation (Hereinafter the “GDPR”). The GDPR builds on many existing concepts of European Data Protection legislation and creates new rights for users whose data are processed. As a regulation, it is directly applicable to all of the member states of the European Union without any legislative measures at national level. The result is new responsibilities to comply with data handling organizations. The Regulation addresses two main ideas: strengthening and unifying data privacy rules for individuals in the European Union; and extending data protection territorial scope by regulating the export of European citizens' personal data outside the EU. While some analysts claim that, the general privacy policies of different websites, mobile applications and operating systems are also similar across borders due to the diffusive and universal nature of the Internet, at the same time, apart from a few international and regional legal instruments, laws on data protection are largely determined by national parliaments and could therefore differ. The GDPR is the ‘’modernized’’ and upgraded version of the Data Protection Directive (Hereinafter the ‘’DPD’’), whose provisions were defined to protect EU residents’ personal data prescribing the limits of EU-based controllers’ activities, however, with the expansion of the Internet, transnational data flow has become unavoidable. While the DPD discussed the transfer of data from the EU to third countries, there were some limitations when it came to its extraterritorial application as well as the liability for damages.