The GDPR is a comprehensive overhaul of EU Data Protection law, and replaces the 1995 Data Protection Directive. Because it is a Regulation rather than a Directive, it generally does not require implementing legislation in each Member State but instead applies directly as law. It will automatically go into effect across the EU on May 25 of 2018.
The GDPR makes sweeping changes to Data Protection law, mostly in ways that do not implicate intermediaries’ liability for user content. Its provisions primarily instead govern companies’ collection and use of back-end stored data about user behavior. Compliance will affect user privacy notices, data logging and storage practices, user interfaces, internal record keeping, and contracting with vendors, among other things. One guide for in-house lawyers concludes that, under the GDPR, “[d]ata protection will be as significant as antitrust or anti-corruption in terms of compliance risk,” and is “likely to require organisation-wide changes for many businesses.” The GDPR also expands extraterritorial application of EU data protection law to non-EU enties, and arms regulators with the power to impose fines as high as 4% of a company’s annual global turnover or €20 million.
The GDPR provisions relevant for intermediary liability involve the so-called “Right to Be Forgotten.” The GDPR largely codifies the de-listing right established in the CJEU’s 2014 Google Spain ruling. However, it does so with slightly amended language that is subject to conflicting and potentially expansive interpretation. As detailed in a pending law review article, it also includes provisions that will alter notice-and-takedown processes to the detriment of online information and expression rights. As also discussed there, the GDPR leaves open the question of whether a “right to be forgotten” may in future extend to hosts and social media operators.