EU-Logos

Just over a year ago, on
May 25, the General Data Protection Regulation (commonly known as the GDPR[1])
was adopted by the European Union (EU) Member States. This regulation marked
not only an important development for the field of data protection and its
harmonisation across the Union, but also highlighted the debate between
security and privacy in this new digital age. A year after its entry into
force, academics, policy-makers and company owners reflect upon the changes
undertook to comply with the regulation and its impacts. Although positive
developments can be observed as going in the right direction, there is still
much work left to do. This article reflects upon the first year of the GDPR and
assesses the positive and more difficult developments it engaged as well as its
current position not only in the EU, but equally across the globe.

1. Capital changes

Many questions were
raised in the recent years concerning privacy, data storage and exchanges.
Pre-existing legislation, such as the 1995 Data Protection Directive[2], were increasingly seen as insufficient to
cover and protect fundamental human rights linked to data
transfers, storage and usage for the online consumer. Consequently, when
the talks on the GDPR first appeared on the European agenda, it was source of
much controversy.

One thing is certain,
this has not changed much after its adoption. As Marelli and Testa argue “the
implications of the GDPR in an ongoing paradigmatic legal controversy[3]”.
Indeed, the GDPR is an important symbol in an ever-developing and expanding
digital era. Furthermore, with its dual aim of “affording citizens increased
protection and empowerment over personal data, while also enhancing the
circulation of those data within the EU”[4],
the GDPR became an important symbol for human rights advocates by pursuing
stronger commitments to privacy[5].

As pointed out during a
lecture organised by the Centre for European Policy Studies[6],
there are various perspectives to the implementation of the GDPR and the
changes that took place. When reflecting upon the past year, three main points
come forward. First, the human rights perspective. Second, the harmonisation on
the EU level. Finally, the international outreach of the GDPR and its
implications for foreign companies.

1.1. Human rights development

In terms of human rights
implications, the European Digital Rights association (EDRi) points out that
the GDPR enables the inclusion of the voice of civil society into digital and
connected spaces. Indeed – and as expected during negotiations on the
regulation, the GDPR meant a step forward the integration of a strong human
rights perspective. [7]

Laybats and Davies
highlight the difference between the 1995 Data Protection and today’s GDPR by
stating that the latter reinforced the rights of the individual online, notably
by establishing stricter, clearer and more understandable rules on privacy and
data exchanges[8]. The
notion of consent and “the right to be forgotten” especially appear on the
front scene.

This means that
“extensive information must be provided to individuals including details about
recipients, retention periods and the range of their individual rights such as access
and portability. All of this needs to be provided in an accessible language to
ensure that it can easily be understood.[9]

In practice, this is exemplified by the number of complaints and fines. The increased awareness of individuals of their rights regarding their online presence is observed as an “encouraging development”.[10] EDRi points out that more than 90,000 data breaches were signalled[11]. A significant case that
reflects the seriousness of the GDPR and its enforcement is the recent penalty against
British Airways. The latter is facing a £183 million fine for breaching data
protection rules, notably the GDPR. Borshoff from Politico reports:

“The Information Commissioner’s Office (ICO) fined British Airways for failing to protect user data after approximately 500,000 web customers were diverted to a fraudulent site, where attackers stole their details. The ICO believes the breach began in June 2018 and involved names, email addresses and credit card information. […] The penalty is the UK’s first and largest public fine since Europe’s new data regime came into effect in 2017”

Borshoff, I. (2019). British Airways hit with major fine in data theft case. Politico.

The response to this breach reflects the readiness of enforcement agencies and demonstrates the commitment to comply with the GDPR. It is expected that such consequent fine will encourage other companies and organisations to strengthen their data protection mechanisms.

Additionally, some speakers of the CEPS conference highlighted that there is also a cultural shift in the sense that data protection became a topic of high value and is receiving increasing importance and funds for its development. This cultural shift embraces fundamental human rights values in a “time of crisis of democracy”[12]. Consequently, data protection became a symbol that showcases a continuing development and improvement of our rights. As Paul Nemitz (Principal Advisor in the DG Justice), claimed during the conference “data protection is good news because with awareness comes activity”.[13]

Nevertheless, EDRi
reminds us that the regulation is not a “magical solution”.[14]
Indeed, it leads to a certain “fatigue of users”, dishonest circumvention by
some and the acceptance of data use due to a lack of understanding.[15]
There is thus still some work to do on the human level for a better
understanding of one’s rights and information on what the GDPR does to
safeguard them.  

1.2. GDPR in the EU

With the adoption of the
GDPR, an important step was the harmonisation of the laws on data protection
across the EU. Indeed, with the free movement of goods, people, capital and
labour, it appears naturally that data, as an immaterial good, could use the free
circulation and further contribute to the development of the single market in
which the regulation served to ensure a minimum standard and protection for the
EU citizens.

The use of the
regulation as a legislative tool was an important step to avoid too much
discrepancy between the Member States.[16]
Although the regulation still provides some discretion to the Member States on
the application, this is minimal compared to a directive.

This important strategic
decision was to ensure proper implementation and facilitate its enforcement.
With the guidelines provides by the European Data Protection board[17]
– reassembling each Member States’ supervisory authorities – the GDPR was
expected to “work towards uniformity of enforcement proceedings and determine
disputes involving processing in more than one Member State”.[18]

Despite this general
understanding of this regulation as a step forward integration, there are some
scholars who argue in opposition. Albrecht argues that some believe that the
GDPR would rather emphasise the discrepancies between the Member States rather
than harmonise.[19]
Nevertheless, he pursues that this argument remains rather weak considering
that the adoption of the GDPR as a regulation represented already a major step
towards Union wide harmony as well as increasingly affects data protection
rules internationally.[20]

Although it is still too
early to contrast different Member States’ compliance  with the
regulation, various actors expressed the positive developments and directions
the states took.[21]
Despite some critics that claim that there are still “divergent interpretations
by Member States”[22]
Albrecht emphasise on the fact that it is normal for Member States to maintain
some of their competences when it is of national security concern for instance[23].
Overall, it is yet too early to determine whether the GDPR will be successful
in homogenising data protection rules and activities or if it is doomed like
some authors claim.

1.3. International reach of the GDPR

As Goddard points out,
the operationalisation of data protection and privacy rules can be rather
tricky due to the complexity to conceptualise ‘privacy’.[24]
While this is already a matter of difficulty within the Union, the GDPR’s
implementation and impact for non-EU based companies requires attention in this
first year. Prior to its implementation, scholars already prescribed a
universal response to the GDPR in Europe. Albrecht notably claimed that:

“It is paramount to understand how the GDPR will change not only the European data protection laws but nothing less than the whole world as we know it […]. [The GDPR] will serve as a global gold standard for every new innovation, for consumer trust in digital technologies and for an entry point to the growth opportunities of an emerging digital market.”[25]

This statement is
increasingly revealing to be correct when observing the adjustments anticipated
and adopted by many foreign companies and organisations. At the CEPS conference[26],
panellists representing the business and transatlantic point of view declared
that there was a conscious effort to comply to the GDPR guidelines and rules.
One of the speakers notably elaborated on the developments taking place in the
state of California, soil of many multinational companies. There is a
state-wide will to incorporate many of the GDPR rules into the legislation.
While the first step is on state-level, the desire to bring this matter to the
federal government remains strong.

Furthermore, the GDPR’s
“wide jurisdictional scope” enables its enforcement on companies residing
outside of the EU in situations where EU users are targeted and impacted by
online usage.[27]
Additionally, these companies appoint a “EU-based representative” in charge of managing
the compliance and implementation.  While this concerns directly companies
with a European audience, a spillover effect is observable to do the widespread
and beyond territorial reach of data transfers. Laybats and Davies question
this scope of application by raising attention of companies such as Amazon and
Google, whose users are not only European but worldwide.[28]
Whether the rules that apply to European users will be transposed homogeneously
for the whole world remains unanswered at this point in time. Nevertheless,
Goddard points out that:

“Organisations based outside the EU will also face pressure for GDPR compliance as part of the supply chain for research services. Clients using data processors based outside the EU will need to ensure that the higher GDPR standards are reflected in the contractual provisions. This may lead to more detailed supplier questionnaires and greater auditing of the business. Negotiations around apportionment of liability can also be expected to play a larger part of the contracting process.”[29]  

Indeed, while the GDPR
is increasingly becoming popular among organisations and companies, the scope
of the GDPR remains principally limited to EU-linked businesses. Yet, its
international reach should not be underestimated. Talks at the CEPS conference
demonstrate a rather optimistic attitude on the future of data protection rules
internationally.[30]
Described as “a paramount cultural shift for businesses and companies”[31],
the field of data protection is becoming a central concern for organisations
that work towards creating adequate systems (privacy assessments, etc.). In
fact, data protection becomes an attractive starting point for the development
of business models and new technologies complying with the GDPR.

Overall, this confirms
what Laybats and Davies claimed that “there is an overwhelming societal desire
for transparency on managing and the use of personal data, so the GDPR has
superseded everything else”[32]
So far, Europe seems to have successfully exported this law and hopefully set
the terrain for further international developments.

2. Concluding remarks

As this article
demonstrates, the GDPR represents a significant change for many actors. Whether
it is for the individual user, EU companies or foreign organisations, the
regulation seems to be expanding positively. While it is yet unknown how this
will develop in the future in terms of EU harmonisation, the steps taken
suggest a sustainable implementation of the rules.

Furthermore, the GDPR
represents an important symbol for the advancement of democracy in an age of
crisis. Indeed, with technological development comes increasing online presence
and increasing data which can be easily misused. The regulation thus serves as
a protection to important fundamental rights such as privacy and sanctions
about illegal usage of data and non-compliance. Although the law is enforced,
there are still companies that try to circumvent the rules, including the big
social media giant Facebook. Nevertheless, increasing public awareness on
misuse of data and online exposure has contributed to the growing information
available on one’s rights and the GDPR. Laybats and Davies affirm that:

“Demand is rising for regulation in this area and I believe that the GDPR is just the start. Once other people in countries not currently under GDPR protection consider the implications for their personal data and protecting it, it will only be a matter of time before other countries step up to the mark and draft their own GDPR.”[33]

Indeed, this statement
is proven real when following legislative developments in various places,
notably in California where there is a general trend towards the adoption and
compliance of the GDPR – whether it is voluntary or compulsory. Additionally, data
protection becomes more than a mere annoyance for companies as exemplified by
the development of new business models and technologies. Nevertheless, while
some countries follow the trend and try to adopt similar rules, it is not the
case everywhere. China, for instance, seems to be drifting away by
incorporating more and more virtual and physical surveillance platforms in the
name of security. This behaviour arises some questions on the application of
the GDPR, notably if it is undermined due to its lack of global coverage.

In sum, this first year
of the GDPR appears as a “test” year, in which many adjust their structures to
comply with the law. It is still too early to assess its successes and
failures, nevertheless, it seems to be heading in the right direction despite
its flaws. Expectations that the GDPR will serve as a blueprint for others
constitute an important basis for the development and safeguard of democracy.

Nevin Birer


[1] Regulation 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal
of the EU
2016 L 119/1.

[2] Directive
95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data
and on the free movement of such data, Official Journal of the EU 1995-
L 28.

[3] Marelli,
L., & Testa, G. (2018). Scrutinizing the EU General Data Protection Regulation.
Science, 360(6388), p. 496

[4] Ibid.

[5] Safari, B.
A. (2016). Intangible privacy rights: How europe’s gdpr will set a new global
standard for personal data protection. Seton Hall L. Rev.47,
809.

[6] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of CEPS,
Brussels.

[7] EDRi (2019,
June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of CEPS,
Brussels.

[8] Laybats,
C., & Davies, J. (2018). GDPR: Implementing the regulations. Business Information Review,
35(2), 81-83.

[9] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), 703-705.

[10] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of
CEPS, Brussels.

[11] EDRi (2019,
June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges
include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.

[12]CEPS. (2019, June). In B.B. William
Rechikson (Moderator), GDPR at one year. After a successful start, new challenges
include enforcement and AI. Conference conducted at the meeting of CEPS,
Brussels.

[13] Nemitz, P. (2019,
June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of CEPS,
Brussels.

[14] EDRi (2019,
June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of CEPS,
Brussels.

[15] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of
CEPS, Brussels.

[16] Albrecht,
J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.

[17] Team, I. P.
(2017). EU general data protection regulation (GDPR): an implementation and
compliance guide
. IT Governance Ltd.

[18] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), p. 704

[19] Albrecht,
J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, pp. 287 – 288.

[20] Ibid.

[21] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of
CEPS, Brussels.

[22] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), 703-705.

[23] Albrecht,
J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.

[24] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), p. 703.

[25] Albrecht,
J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.

[26] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of
CEPS, Brussels.

[27] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), 703-705.

[28] Laybats,
C., & Davies, J. (2018). GDPR: Implementing the regulations. Business Information
Review
, 35(2), 81-83.

[29] Goddard, M.
(2017). The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research,
59(6), p. 704.

[30] CEPS.
(2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new
challenges include enforcement and AI. Conference conducted at the meeting of
CEPS, Brussels.

[31] Ibid.

[32] Laybats,
C., & Davies, J. (2018). GDPR: Implementing the regulations. Business
Information Review
, 35(2), 81-83.

[33] Ibid, p. 83.

L’article First anniversary of the GDPR: an overview of the changes est apparu en premier sur Le portail de référence pour l'espace de liberté, sécurité et justice.

Author :
Print