Radu-Mihai Dumitrescu

2018-07-01

Abstract:The protection of patients' personal and medical data has always been an important subject for medical practice, with explicit regulations being implemented. Whether we are talking about civil and criminal codes or laws governing the medical profession, they all seek to protect fundamental human rights. The confidentiality of medical data is maintained even after the death of the patient, this aspect being governed since the profiling of the physician profession through the Hippocratic Oath. Discussions on privacy and confidentiality occupy an important place in sociological, medical, legal, ethical and anthropological literature. There are references to the benefits gained by improving accessibility to data as they migrate to computer environments. Along with the technological evolution, all of this data has been transferred to electronic systems. A major concern with the trend towards electronic health records focuses on protecting privacy and patient confidentiality (Vanderminden and Potter, 2016). Data transfer, as well as their processing through many computer systems belonging to different public and private entities, brings new challenges at the individual and social level. Under the protection afforded by the right of individuals to access to information and the current tendency to ease access to information, a number of institutions have created online portals that manage a huge amount of data. The way these data are processed in accordance with the rights of the individual remains an issue that is not fully resolved. 1 Faculty of Sociology and Social Work, University of Bucharest, Bucharest, Romania, dum_mihu@yahoo.com Journal of Comparative Research in Anthropology and Sociology, Volume 9, Number 1, Summer 2018 2 On the occasion of a doctoral research on medical malpractice, I conducted the interrogation of the portal of Romanian courts (http://portal.just.ro). A huge amount of data can be obtained easily in a short time. In the context of the expected impact of the implementation of the GDPR (General Data Protection Regulation) in relation to the functioning of the public institutions, I conducted a qualitative research looking at how medical data and personal data are managed by the courts. Decisions of the courts published in the jurisprudence section have been analyzed. The paper analyzes the compliance of the judicial public institutions with the data protection legislation considered in the paradigm of institutional logic. We can assume that the individualistic principle exercised by the professional institution (the medical profession) can conflict and require a balancing with the utilitarian, collective principle, which can explain some of the state institution's actions (courts of justice). GDPR aims to reinforce existing legal provisions. GDPR does not seem to bring about changes in the substance of laws or doctrines on data confidentiality, but appears to be a form of supra-state control. The way in which GDPR will influence policies and practices regarding the processing of personal and medical data will be analyzed with the passage of time.

Law,Business

Gauthier Chassang

DOI: https://doi.org/10.3332/ecancer.2017.709

2017-01-03

ecancermedicalscience

Abstract:The use of personal data is critical to ensure quality and reliability in scientific research. The new Regulation [European Union (EU)] 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [general data protection regulation (GDPR)], repealing Directive 95/46/EC, strengthens and harmonises the rules for protecting individuals' privacy rights and freedoms within and, under certain conditions, outside the EU territory. This new and historic legal milestone both prolongs and updates the EU acquis of the previous Data Protection Directive 95/46/EC. The GDPR fixes both general rules applying to any kind of personal data processing and specific rules applying to the processing of special categories of personal data such as health data taking place in the context of scientific research, this including clinical and translational research areas. This article aims to provide an overview of the new rules to consider where scientific projects include the processing of personal health data, genetic data or biometric data and other kinds of sensitive information whose use is strictly regulated by the GDPR in order to give the main key facts to researchers to adapt their practices and ensure compliance to the EU law to be enforced in May 2018.

Victoria Chico

DOI: https://doi.org/10.1093/bmb/ldy038

2018-11-17

British Medical Bulletin

Abstract:Background: On the May 25, 2018 the General Data Protection Regulation (hereafter the GDPR or the Regulation) came into force, replacing the Data Protection Directive 95/46/EC (upon which the Data Protection Act 1998 is based), and imposing new responsibilities on organizations which process the data of European Union citizens.Sources of data: This piece examines the impact of the Regulation on health research.Areas of agreement: The Regulation seeks to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy and to reshape the way that organizations approach data privacy (See the GDPR portal at: https://www.eugdpr.org/ (accessed 8 May 2018). As a Regulation the GDPR is directly applicable in all member states as opposed to a directive which requires national implementing measures (In the UK the Data Protection Act 1998 was the implementing legislation for the Data Protection Directive 95/46/EC.).Areas of controversy: The Regulation is sector wide, but its impact on organizations us sector specific. In some sectors, the Regulation inhibits the processing of personal data, whilst in others it enables that processing. The Regulation takes the position that the 'processing of data should be designed to serve mankind' (Recital 4). Whilst it does not spell out what exactly is meant by this, it indicates that a proportionate approach will be taken to the protection of personal data, where that data can be processed for common goods such as healthcare. Thus, the protection of personal data is not absolute, but considered in relation to its function in society and balance with other fundamental rights in accordance with the principle of proportionality (Recital 4). Differing interpretations of proportionality can detract from the harmonization objective of the Regulation.Growing points: Reflecting the commitment to proportionality, scientific research holds a privileged position in the Regulation. Throughout the Regulation provision is made for organizations that process personal data for scientific research purposes to avoid restrictive measures which might impede the increase of knowledge. However, the application of the Regulation differs across health research sectors and across jurisdictions. Transparency and engagement across the health research sector is required to promote alignment.Areas timely for developing research: Research which focuses on the particular problems which arise in the context of the regulation's application to health research would be welcome. Particularly in the context of the operation of the Regulation alongside the duty of confidentiality and the variation in approaches across Member States.

medicine, general & internal

Iulian Nastasa,Florentina-Ligia Furtunescu,Dana-Galieta Minca

DOI: https://doi.org/10.26574/maedica.2024.19.2.2982024;

Abstract:Objective: The General Data Protection Regulation (GDPR), which became effective on May 25, 2016, underscored the significance of confidentiality across various economic and social domains. Within the medical sector, confidentiality of patient health information is meticulously governed by laws, e.g., no. 95/2006 and no. 46/2003. While these laws address numerous privacy aspects within the doctor-patient relationship, it becomes necessary to update them to align with the latest advancements in emerging technologies, particularly in the context of telemedicine. Material and methods: Upon reviewing the overview of rules pertaining to health data processing in Romania, as published by the European Data Protection Board (EDPB) in 2021, and comparing it with the current public health and research laws in Romania, it becomes apparent that there is a regulatory gap concerning the secondary use of health data. Results: This gap is particularly notable in terms of planning, managing and enhancing the healthcare system, as well as utilizing such data for scientific and historical research purposes, leading to the necessity of developing and regulating the European Health Data Space. Conclusion: Although steps have been taken to align the GDPR legislation in Romania, there is still a disproportionality in the regulation of privacy and cyber security with the implementation of new technologies that will collect, process and store sensitive medical data.

Bocong Yuan,Jiannan Li

DOI: https://doi.org/10.3390/ijerph16061070

IF: 4.614

2019-03-25

International Journal of Environmental Research and Public Health

Abstract:The rapid development of digital health poses a critical challenge to the personal health data protection of patients. The European Union General Data Protection Regulation (EU GDPR) works in this context; it was passed in April 2016 and came into force in May 2018 across the European Union. This study is the first attempt to test the effectiveness of this legal reform for personal health data protection. Using the difference-in-difference (DID) approach, this study empirically examines the policy influence of the GDPR on the financial performance of hospitals across the European Union. Results show that hospitals with the digital health service suffered from financial distress after the GDPR was published in 2016. This reveals that during the transition period (2016–2018), hospitals across the European Union indeed made costly adjustments to meet the requirements of personal health data protection introduced by this new regulation, and thus inevitably suffered a policy shock to their financial performance in the short term. The implementation of GDPR may have achieved preliminary success.

public, environmental & occupational health,environmental sciences

John Mark Michael Rumbold,Barbara Pierscionek

DOI: https://doi.org/10.2196/jmir.7108

IF: 7.076

2017-02-24

Journal of Medical Internet Research

Abstract:BACKGROUND: The enactment of the General Data Protection Regulation (GDPR) will impact on European data science. Particular concerns relating to consent requirements that would severely restrict medical data research have been raised.OBJECTIVE: Our objective is to explain the changes in data protection laws that apply to medical research and to discuss their potential impact.METHODS: Analysis of ethicolegal requirements imposed by the GDPR.RESULTS: The GDPR makes the classification of pseudonymised data as personal data clearer, although it has not been entirely resolved. Biomedical research on personal data where consent has not been obtained must be of substantial public interest.CONCLUSIONS: The GDPR introduces protections for data subjects that aim for consistency across the EU. The proposed changes will make little impact on biomedical data research.

health care sciences & services,medical informatics

J. Noar,N. Hemmings

DOI: https://doi.org/10.12968/ORTU.2018.11.3.110

2018-07-02

Orthodontic Update

Abstract:Abstract: The General Data Protection Regulations (GDPR) govern the use of personal data within the European Union as from 25th May 2018. This supersedes the legislation of the Data Protection Act (DPA). Whilst it has many similarities to the DPA, it has significant enhancements that require active engagement to ensure compliance. It is a requirement for practices to appoint a Data Protection Officer, pay the Information Commissioners Office (ICO) fee, update their privacy notices, create written contracts between controllers and processors, identify and document the lawful basis for processing data, and comply with the rights of individuals. CPD/Clinical Relevance: Data protection regulations have changed as part of EU legislation. These changes applied from 25th May 2018 and are applicable to all.

Business,Law

T Opgenhaffen,M B de Koning

Abstract:Background: Medical confidentiality is a foundation under every treatment relationship. Medical confidentiality is not immutable and has undergone a number of developments in recent decades. Aim: Reflection on the developments that medical confidentiality went through in the Netherlands and Belgium in recent decades and on the connection between medical confidentiality and the General Data Protection Regulation (GDPR). Method: Exploration of differences and similarities in legislation and practice regarding medical confidentiality and the GDPR in the Netherlands and Belgium, and consideration of the consequences of the implementation of the GDPR. Results: Medical confidentiality went through a relativization, a privatization and a materialization. There are two views on the relationship between GDPR and medical confidentiality: that the GDPR can be an exception to medical confidentiality, and that medical confidentiality always ranks higher than the GDPR. Conclusion: Medical confidentiality and the GDPR are substantially different. There is a risk that the focus on the GDPR, both at the societal level and within organizations, may diminish the focus on medical confidentiality.

Teodora Lalova-Spinks,Robbe Saesen,Mitchell Silva,Jan Geissler,Iryna Shakhnenko,Jennifer Catherine Camaradou,Isabelle Huys

DOI: https://doi.org/10.3389/fphar.2023.1280173

IF: 5.6

2024-02-20

Frontiers in Pharmacology

Abstract:Background: In the European Union, the General Data Protection Regulation (GDPR) plays a central role in the complex health research legal framework. It aims to protect the fundamental right to the protection of individuals' personal data, while allowing the free movement of such data. However, it has been criticized for challenging the conduct of research. Existing scholarship has paid little attention to the experiences and views of the patient community. The aim of the study was to investigate 1) the awareness and knowledge of patients, carers, and members of patient organizations about the General Data Protection Regulation, 2) their experience with exercising data subject rights, and 3) their understanding of the notion of "data control" and preferences towards various data control tools. Methods: An online survey was disseminated between December 2022 and March 2023. Quantitative data was analyzed descriptively and inferentially. Answers to open-ended questions were analyzed using the thematic analysis method. Results: In total, 220 individuals from 28 European countries participated. The majority were patients (77%). Most participants had previously heard about the GDPR (90%) but had not exercised any of their data subject rights. Individual data control tools appeared to be marginally more important than collective tools. The willingness of participants to share personal data with data altruism organizations increased if patient representatives would be involved in the decision-making processes of such organizations. Conclusion: The results highlighted the importance of providing in-depth education about data protection. Although participants showed a slight preference towards individual control tools, the reflection based on existing scholarship identified that individual control holds risks that could be mitigated through carefully operationalized collective tools. The discussion of results was used to provide a critical view into the proposed European Health Data Space, which has yet to find a productive balance between individual control and allowing the reuse of personal data for research.

pharmacology & pharmacy

Branko Marovic,Vasa Curcin

DOI: https://doi.org/10.2196/14604

IF: 3.2

2020-04-17

JMIR Medical Informatics

Abstract:As of May 2018, all relevant institutions within member countries of the European Economic Area are required to comply with the European General Data Protection Regulation (GDPR) or face significant fines. This regulation has also had a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with the EU as part of the accession process. The Republic of Serbia is an example of such a candidate country, and its 2018 Personal Data Protection Act mirrors the majority of provisions in the GDPR. This paper presents the impact of the GDPR on health data management and Serbia’s capability to conduct international health data research projects. Data protection incidents reported in Serbia are explored to identify common underlying causes using a novel taxonomy of contributing factors across aspects and health system levels. The GDPR has an extraterritorial application for the non-EU data controllers who process the data of EU citizens and residents, which mainly affects private practices used by medical tourists from the EU, public health care institutions frequented by foreigners, as well as expatriates, dual citizens, tourists, and other visitors. Serbia generally does not have well-established procedures to support international research collaborations around its health data. For smaller projects, contractual arrangements can be made with health data providers and their ethics committees. Even then, organizations that have not previously participated in similar ventures may require approval or support from health authorities. Extensive studies that involve multisite data typically require the support of central health system institutions and relevant research data aggregators or electronic health record vendors. The lack of a framework for preparation, anonymization, and assurance of privacy preservation forces researchers to rely heavily on local expertise and support. Given the current limitation and potential issues with the legislation, it remains to be seen whether the move toward the GDPR will be beneficial for the Serbian health system, medical research, protection of personal data and privacy rights, and research capacity. Although significant progress has been made so far, a strategic approach is needed at the national level to address insufficient resources in the area of data protection and develop the personal data protection environment further. This will also require a targeted educational effort among health workers and decision makers, aiming to improve awareness and develop skills and knowledge necessary for the workforce.

medical informatics

Antonia Vlahou,Dara Hallinan,Rolf Apweiler,Angel Argiles,Joachim Beige,Ariela Benigni,Rainer Bischoff,Peter C Black,Franziska Boehm,Jocelyn Céraline,George P Chrousos,Christian Delles,Pieter Evenepoel,Ivo Fridolin,Griet Glorieux,Alain J van Gool,Isabel Heidegger,John P A Ioannidis,Joachim Jankowski,Vera Jankowski,Carmen Jeronimo,Ashish M Kamat,Rosalinde Masereeuw,Gert Mayer,Harald Mischak,Alberto Ortiz,Giuseppe Remuzzi,Peter Rossing,Joost P Schanstra,Bernd J Schmitz-Dräger,Goce Spasovski,Jan A Staessen,Dimitrios Stamatialis,Peter Stenvinkel,Christoph Wanner,Stephen B Williams,Faiez Zannad,Carmine Zoccali,Raymond Vanholder

DOI: https://doi.org/10.1161/HYPERTENSIONAHA.120.16340

IF: 9.8968

Hypertension

Abstract:The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Thiago Luís Sombra

DOI: https://doi.org/10.54648/gplr2020083

2020-06-01

Global Privacy Law Review

Abstract:The Brazilian Data Protection Law (LGPD) will enter into force in August 2020. Brazil was one of the few countries among the major global economies not to have a regulatory framework for personal data protection, which means, it was a minor player in the subject with sparse regulations such as the Civil Rights Framework for the Internet, Civil Code and the Consumer Protection Code. The cultural change to be imposed by LGPD can be noticed by the principles that give legal grounds to the law. With around ten general principles, including purpose, necessity, open access, transparency, security, liability and accountability, which are particularly emphasized, LGPD aims to rebalance the games of power, increase transparency, responsiveness and empower the subjects of personal data in their interactions in cyberspace. Data Protection, cybersecurity, data subjects, LGPD, GDPR, Brazil

Rebecca R. Lee,Janet E. McDonagh,Albert Farre,Sarah Peters,Lis Cordingley,Tim Rapley

DOI: https://doi.org/10.1111/1467-9566.13408

2021-11-23

Abstract:With the most recent developments to the European General Data Protection Regulations (GDPR) introduced in May 2018, the resulting legislation meant a new set of considerations for study approvers and health-care researchers. Compared with previous legislation in the UK (The Data Protection Act, 1998), it introduced more extensive and directive principles, requiring anybody 'processing' personal data to specifically define how this data will be obtained, stored, used and destroyed. Importantly, it also emphasised the principle of accountability, which meant that data controllers and processors could no longer just state that they planned to adhere to lawful data protection principles, they also had to demonstrate compliance. New questions and concerns around accountability now appear to have increased levels of scrutiny in all areas of information governance (IG), especially with regards to processing confidential patient information. This article explores our experiences of gaining required ethical and regulatory approvals for an ethnographic study in a UK health-care setting, the implications that the common law duty of confidentiality had for this research, and the ways in which IG challenges were overcome. The purpose of this article was to equip researchers embarking on similar projects to be able to navigate the potentially problematic and complex journey to approval.

public, environmental & occupational health,social sciences, biomedical,sociology

Mirosław Tokarski

DOI: https://doi.org/10.37105/sd.86

2020-11-19

Abstract:The process of establishing normative acts in the European Union does not occur out of nowhere, but in the context of specific social needs. That was the case of the genesis of establishing legal regulations regarding the protection of personal data in the European Union. Socio-economic integration, which resulted from the functioning of internal market in the European Union, has led to a significant increase in cross-border transfers of personal data. It led to situation in which various economic operators or state institutions of the Member States have increasingly processed the personal data of the EU citizens. Within time, these data have become an equally valuable commodity - not to say even more valuable – compared to goods and services (Costa-Cabral, and Lynskey Orla, 2017, p. 11). Making use of personal data on a large scale especially by public and private entities, associations and companies over time has posed a threat to the security of personal data. This has made it necessary to introduce legal protection measures for personal data in the European Union that would eliminate the negative effects of any form of personal data processing. The purpose of this article is to evaluate legal regulations regarding legislative protection of personal data in the European Union against the background of EU Regulation 2016/679 of the European Parliament and the Council with respect to the protection of individuals due to processing personal data, its free movement and repealing Directive 95/46/EC (hereinafter referred to as Regulation 2016/679). Due to initially adopted purpose of the considerations there arose a problem which was formulated in the form of a question: Do the legal measures introduced by the Regulation constitute an effective tool for the protection of personal data in the event of a violation of the law by personal data administrators and entities while processing such data? The presented purpose of the considerations and the research problem determined the order of the analysis.

English Else

Mahsa Shabani,Pascal Borry

DOI: https://doi.org/10.1038/s41431-017-0045-7

2017-11-29

European Journal of Human Genetics

Abstract:Genetic data contain sensitive health and non-health-related information about the individuals and their family members. Therefore, adopting adequate privacy safeguards is paramount when processing genetic data for research or clinical purposes. One of the major legal instruments for personal data protection in the EU is the new General Data Protection Regulation (GDPR), which has entered into force in May 2016 and repealed the Directive 95/46/EC, with an ultimate goal of enhancing effectiveness and harmonization of personal data protection in the EU. This paper explores the major provisions of the new Regulation with regard to processing genetic data, and assesses the influence of such provisions on reinforcing the legal safeguards when sharing genetic data for research purposes. The new Regulation attempts to elucidate the scope of personal data, by recognizing pseudonymized data as personal (identifiable) data, and including genetic data in the catalog of special categories of data (sensitive data). Moreover, a set of new rules is laid out in the Regulation for processing personal data under the scientific research exemption. For instance, further use of genetic data for scientific research purposes, without obtaining additional consent will be allowed, if the specific conditions is met. The new Regulation has already fueled concerns among various stakeholders, owing to the challenges that may emerge when implementing the Regulation across the countries. Notably, the provided definition for pseudonymized data has been criticized because it leaves too much room for interpretations, and it might undermine the harmonization of the data protection across the countries.

genetics & heredity,biochemistry & molecular biology

Jonatas S. de Souza,Jair M. Abe,Luiz A. de Lima,Nilson A. de Souza

DOI: https://doi.org/10.48550/arXiv.2009.14313

2020-09-29

Cryptography and Security

Abstract:Rapid technological change and globalization have created new challenges when it comes to the protection and processing of personal data. In 2018, Brazil presented a new law that has the proposal to inform how personal data should be collected and treated, to guarantee the security and integrity of the data holder. The purpose of this paper is to emphasize the principles of the General Law on Personal Data Protection, informing real cases of leakage of personal data and thus obtaining an understanding of the importance of gains that meet the interests of Internet users on the subject and its benefits to the entire Brazilian society.

Lena Enqvist,Yana Litins'ka

DOI: https://doi.org/10.36969/njel.v5i1.24498

2022-08-31

Nordic Journal of European Law

Abstract:While there are many feasible reasons for employers to process employee health data, the protection of such data is a fundamental issue for ensuring employee rights to privacy in the workplace. The sharing of health data within workplaces can lead to various consequences, such as losing a sense of privacy, stigmatisation, job insecurity and social dumping. At the European level, the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and EU General Data Protection Regulation (GDPR)–two interconnected instruments–offer the most enforceable protection of employee health data. The article analyses the limits of employees’ right to privacy regarding health data, as delineated by the ECHR and GDPR. Using three fictive examples, we illustrate how the level of protection differs in these two instruments. In particular, we show that the protection of health data offered by the GDPR is seen as an objective act of processing at the time it is carried out, where the actual impact caused by the processing on private life is not considered. On the contrary, the ECHR’s applicability and offered level of protection in the employment context depend on subjective factors, such as the consequences of sharing the data.

Soledad Cabezón Ruiz,Rubén Morilla Romero de la Osa

2021-10-07

Abstract:In addition to the opportunities posed by the use of Big Data in health, it also generates important challenges in the field of research, especially from the point of view of its management and ethical considerations. The European Union has been promoting different initiatives that allow the exploitation of this data in the context of the knowledge economy. The UNESCO Ethics Committee has identified three ethical principles to take into account regarding the application of Big Data in Health: independence, privacy and justice. The protection of privacy and patient safety is questioned in a context where cybersecurity is far to be complete. In addition, an imbalance in the exploitation of these data by the public and private sectors could generate inequalities that would represent a significant problem of social justice. This article follows a qualitative methodology based on the documentary analysis of current legislative texts, especially the recently approved General Data Protection Regulation (GDPR), as well as non-legislative documents of projects and parliamentary communications throughout the last two legislatures, with the aim of analyzing them and evaluating how they conform to the principles outlined by UNESCO, especially with respect to the principle of social justice. The most representative national projects that have started to be adopted are also reviewed.

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.