Loopholes in the General Data Protection Regulation

June 1, 2018
General Personal Data Protection Regulation (GDPR)


The European Union (hereinafter referred to as “EU”) will be implementing the General Data Protection Regulation (hereinafter referred to as “GDPR”) with effect from May 25, 2018. GDPR seeks to protect personal data of EU residents and is applicable on companies collecting, storing and processing the personal data of EU residents. A brief understanding of GDPR can be found on our website over here to know more about getting ready general personal data protection regulation GDPR.

The present article talks about some loopholes that these new privacy regulations may have.

Legitimate interests

One of the most important provisions of the GDPR is that processing of data shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.[1] However, the same provision contains another condition that processing of data shall be lawful processing if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. It is not clear whether consent is to be taken in case of legitimate interest or whether data subjects are to be informed about processing of information. Also, the term “legitimate interest” is a broad and flexible term and could apply to any type of processing for any reasonable purpose. Moreover, GDPR does not define if any factors are to be considered for deciding “legitimate interest”.

Offering goods and services

The territorial scope of GDPR states that GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, and where such processing should be related to offering of goods or services or the monitoring of their behavior as far as their behavior takes place within EU.[2] Hence, a controller who is not in EU is subject to GDPR if the processing is relating to offering goods and services to individuals in EU. However, the same personal data, once obtained by an entity after duly following GDPR norms, may be used for another purpose other than for offering goods or services.

For example, Company “A” which is a company outside EU obtains personal data of a EU data subject after obtaining consent and the data is duly processed. Thereafter, the Company “A” sells the personal data to Company “B” in the same country for a purpose not related to offering goods and services and therefore, such activity would be outside the scope of GDPR.

High costs

Compliances under GDPR will be costly depending upon the amount of EU citizens’ data that are to be processed by an entity. Companies will also require changing their internal policies and appoint a Data Protection Officer. Companies may also have to invest in softwares to ensure safe protection of data and prevent unauthorized use or misuse as penalties for non-compliances under GDPR is quite high. Companies may be fined upto EUR 2,00,00,000 or 4% of global annual turnover for the preceding financial year, whichever is higher, in case of non-compliance.

Obtaining information by data subjects

The GDPR puts an obligation on the controller that at the time of obtaining personal data, the data subject shall be provided various information like contact details of data protection officer, identity and contact details of controller, purpose of processing data, etc. However, when such data is shared with third party, only the recipients or categories of recipients of the personal data are to be provided to the data subject. It is peculiar that the controller has to reveal its own name and details but not the name and details of the third-party recipients of personal data.


All legislations are bound to have some loopholes, and so does GDPR. Nonetheless, GDPR is envisaged to provide more protection to people in terms of their personal data. GDPR has indeed raised the bar on data privacy and security. Also, it has made way for a single legal framework applicable across EU member states, and therefore, businesses will be subject to a consistent set of norms.


[1]Rule 6(1) of GDPR
[2]Rule 3(2) of GDPR
[3]Rule 83 (5) of GDPR

For more information please contact us at : info@ssrana.com