Just over a year ago, on May 25, the General Data Protection Regulation (commonly known as the GDPR[1]) was adopted by the European Union (EU) Member States. This regulation marked not only an important development for the field of data protection and its harmonisation across the Union, but also highlighted the debate between security and privacy in this new digital age. A year after its entry into force, academics, policy-makers and company owners reflect upon the changes undertook to comply with the regulation and its impacts. Although positive developments can be observed as going in the right direction, there is still much work left to do. This article reflects upon the first year of the GDPR and assesses the positive and more difficult developments it engaged as well as its current position not only in the EU, but equally across the globe.
1. Capital changes
Many questions were raised in the recent years concerning privacy, data storage and exchanges. Pre-existing legislation, such as the 1995 Data Protection Directive[2], were increasingly seen as insufficient to cover and protect fundamental human rights linked to data transfers, storage and usage for the online consumer. Consequently, when the talks on the GDPR first appeared on the European agenda, it was source of much controversy.
One thing is certain, this has not changed much after its adoption. As Marelli and Testa argue “the implications of the GDPR in an ongoing paradigmatic legal controversy[3]”. Indeed, the GDPR is an important symbol in an ever-developing and expanding digital era. Furthermore, with its dual aim of “affording citizens increased protection and empowerment over personal data, while also enhancing the circulation of those data within the EU”[4], the GDPR became an important symbol for human rights advocates by pursuing stronger commitments to privacy[5].
As pointed out during a lecture organised by the Centre for European Policy Studies[6], there are various perspectives to the implementation of the GDPR and the changes that took place. When reflecting upon the past year, three main points come forward. First, the human rights perspective. Second, the harmonisation on the EU level. Finally, the international outreach of the GDPR and its implications for foreign companies.
1.1. Human rights development
In terms of human rights implications, the European Digital Rights association (EDRi) points out that the GDPR enables the inclusion of the voice of civil society into digital and connected spaces. Indeed – and as expected during negotiations on the regulation, the GDPR meant a step forward the integration of a strong human rights perspective. [7]
Laybats and Davies highlight the difference between the 1995 Data Protection and today’s GDPR by stating that the latter reinforced the rights of the individual online, notably by establishing stricter, clearer and more understandable rules on privacy and data exchanges[8]. The notion of consent and “the right to be forgotten” especially appear on the front scene.
This means that “extensive information must be provided to individuals including details about recipients, retention periods and the range of their individual rights such as access and portability. All of this needs to be provided in an accessible language to ensure that it can easily be understood.[9]
In practice, this is exemplified by the number of complaints and fines. The increased awareness of individuals of their rights regarding their online presence is observed as an “encouraging development”.[10] EDRi points out that more than 90,000 data breaches were signalled[11]. A significant case that reflects the seriousness of the GDPR and its enforcement is the recent penalty against British Airways. The latter is facing a £183 million fine for breaching data protection rules, notably the GDPR. Borshoff from Politico reports:
“The Information Commissioner’s Office (ICO) fined British Airways for failing to protect user data after approximately 500,000 web customers were diverted to a fraudulent site, where attackers stole their details. The ICO believes the breach began in June 2018 and involved names, email addresses and credit card information. […] The penalty is the UK’s first and largest public fine since Europe’s new data regime came into effect in 2017”
Borshoff, I. (2019). British Airways hit with major fine in data theft case. Politico.
The response to this breach reflects the readiness of enforcement agencies and demonstrates the commitment to comply with the GDPR. It is expected that such consequent fine will encourage other companies and organisations to strengthen their data protection mechanisms.
Additionally, some speakers of the CEPS conference highlighted that there is also a cultural shift in the sense that data protection became a topic of high value and is receiving increasing importance and funds for its development. This cultural shift embraces fundamental human rights values in a “time of crisis of democracy”[12]. Consequently, data protection became a symbol that showcases a continuing development and improvement of our rights. As Paul Nemitz (Principal Advisor in the DG Justice), claimed during the conference “data protection is good news because with awareness comes activity”.[13]
Nevertheless, EDRi reminds us that the regulation is not a “magical solution”.[14] Indeed, it leads to a certain “fatigue of users”, dishonest circumvention by some and the acceptance of data use due to a lack of understanding.[15] There is thus still some work to do on the human level for a better understanding of one’s rights and information on what the GDPR does to safeguard them.
1.2. GDPR in the EU
With the adoption of the GDPR, an important step was the harmonisation of the laws on data protection across the EU. Indeed, with the free movement of goods, people, capital and labour, it appears naturally that data, as an immaterial good, could use the free circulation and further contribute to the development of the single market in which the regulation served to ensure a minimum standard and protection for the EU citizens.
The use of the regulation as a legislative tool was an important step to avoid too much discrepancy between the Member States.[16] Although the regulation still provides some discretion to the Member States on the application, this is minimal compared to a directive.
This important strategic decision was to ensure proper implementation and facilitate its enforcement. With the guidelines provides by the European Data Protection board[17] – reassembling each Member States’ supervisory authorities – the GDPR was expected to “work towards uniformity of enforcement proceedings and determine disputes involving processing in more than one Member State”.[18]
Despite this general understanding of this regulation as a step forward integration, there are some scholars who argue in opposition. Albrecht argues that some believe that the GDPR would rather emphasise the discrepancies between the Member States rather than harmonise.[19] Nevertheless, he pursues that this argument remains rather weak considering that the adoption of the GDPR as a regulation represented already a major step towards Union wide harmony as well as increasingly affects data protection rules internationally.[20]
Although it is still too early to contrast different Member States’ compliance with the regulation, various actors expressed the positive developments and directions the states took.[21] Despite some critics that claim that there are still “divergent interpretations by Member States”[22], Albrecht emphasise on the fact that it is normal for Member States to maintain some of their competences when it is of national security concern for instance[23]. Overall, it is yet too early to determine whether the GDPR will be successful in homogenising data protection rules and activities or if it is doomed like some authors claim.
1.3. International reach of the GDPR
As Goddard points out, the operationalisation of data protection and privacy rules can be rather tricky due to the complexity to conceptualise ‘privacy’.[24] While this is already a matter of difficulty within the Union, the GDPR’s implementation and impact for non-EU based companies requires attention in this first year. Prior to its implementation, scholars already prescribed a universal response to the GDPR in Europe. Albrecht notably claimed that:
“It is paramount to understand how the GDPR will change not only the European data protection laws but nothing less than the whole world as we know it […]. [The GDPR] will serve as a global gold standard for every new innovation, for consumer trust in digital technologies and for an entry point to the growth opportunities of an emerging digital market.”[25]
This statement is increasingly revealing to be correct when observing the adjustments anticipated and adopted by many foreign companies and organisations. At the CEPS conference[26], panellists representing the business and transatlantic point of view declared that there was a conscious effort to comply to the GDPR guidelines and rules. One of the speakers notably elaborated on the developments taking place in the state of California, soil of many multinational companies. There is a state-wide will to incorporate many of the GDPR rules into the legislation. While the first step is on state-level, the desire to bring this matter to the federal government remains strong.
Furthermore, the GDPR’s “wide jurisdictional scope” enables its enforcement on companies residing outside of the EU in situations where EU users are targeted and impacted by online usage.[27] Additionally, these companies appoint a “EU-based representative” in charge of managing the compliance and implementation. While this concerns directly companies with a European audience, a spillover effect is observable to do the widespread and beyond territorial reach of data transfers. Laybats and Davies question this scope of application by raising attention of companies such as Amazon and Google, whose users are not only European but worldwide.[28] Whether the rules that apply to European users will be transposed homogeneously for the whole world remains unanswered at this point in time. Nevertheless, Goddard points out that:
“Organisations based outside the EU will also face pressure for GDPR compliance as part of the supply chain for research services. Clients using data processors based outside the EU will need to ensure that the higher GDPR standards are reflected in the contractual provisions. This may lead to more detailed supplier questionnaires and greater auditing of the business. Negotiations around apportionment of liability can also be expected to play a larger part of the contracting process.”[29]
Indeed, while the GDPR is increasingly becoming popular among organisations and companies, the scope of the GDPR remains principally limited to EU-linked businesses. Yet, its international reach should not be underestimated. Talks at the CEPS conference demonstrate a rather optimistic attitude on the future of data protection rules internationally.[30] Described as “a paramount cultural shift for businesses and companies”[31], the field of data protection is becoming a central concern for organisations that work towards creating adequate systems (privacy assessments, etc.). In fact, data protection becomes an attractive starting point for the development of business models and new technologies complying with the GDPR.
Overall, this confirms what Laybats and Davies claimed that “there is an overwhelming societal desire for transparency on managing and the use of personal data, so the GDPR has superseded everything else”[32]. So far, Europe seems to have successfully exported this law and hopefully set the terrain for further international developments.
2. Concluding remarks
As this article demonstrates, the GDPR represents a significant change for many actors. Whether it is for the individual user, EU companies or foreign organisations, the regulation seems to be expanding positively. While it is yet unknown how this will develop in the future in terms of EU harmonisation, the steps taken suggest a sustainable implementation of the rules.
Furthermore, the GDPR represents an important symbol for the advancement of democracy in an age of crisis. Indeed, with technological development comes increasing online presence and increasing data which can be easily misused. The regulation thus serves as a protection to important fundamental rights such as privacy and sanctions about illegal usage of data and non-compliance. Although the law is enforced, there are still companies that try to circumvent the rules, including the big social media giant Facebook. Nevertheless, increasing public awareness on misuse of data and online exposure has contributed to the growing information available on one’s rights and the GDPR. Laybats and Davies affirm that:
“Demand is rising for regulation in this area and I believe that the GDPR is just the start. Once other people in countries not currently under GDPR protection consider the implications for their personal data and protecting it, it will only be a matter of time before other countries step up to the mark and draft their own GDPR.”[33]
Indeed, this statement is proven real when following legislative developments in various places, notably in California where there is a general trend towards the adoption and compliance of the GDPR – whether it is voluntary or compulsory. Additionally, data protection becomes more than a mere annoyance for companies as exemplified by the development of new business models and technologies. Nevertheless, while some countries follow the trend and try to adopt similar rules, it is not the case everywhere. China, for instance, seems to be drifting away by incorporating more and more virtual and physical surveillance platforms in the name of security. This behaviour arises some questions on the application of the GDPR, notably if it is undermined due to its lack of global coverage.
In sum, this first year of the GDPR appears as a “test” year, in which many adjust their structures to comply with the law. It is still too early to assess its successes and failures, nevertheless, it seems to be heading in the right direction despite its flaws. Expectations that the GDPR will serve as a blueprint for others constitute an important basis for the development and safeguard of democracy.
Nevin Birer
[1] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the EU 2016 L 119/1.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the EU 1995- L 28.
[3] Marelli, L., & Testa, G. (2018). Scrutinizing the EU General Data Protection Regulation. Science, 360(6388), p. 496
[4] Ibid.
[5] Safari, B. A. (2016). Intangible privacy rights: How europe’s gdpr will set a new global standard for personal data protection. Seton Hall L. Rev., 47, 809.
[6] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[7] EDRi (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[8] Laybats, C., & Davies, J. (2018). GDPR: Implementing the regulations. Business Information Review, 35(2), 81-83.
[9] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703-705.
[10] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[11] EDRi (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[12]CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[13] Nemitz, P. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[14] EDRi (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[15] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[16] Albrecht, J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.
[17] Team, I. P. (2017). EU general data protection regulation (GDPR): an implementation and compliance guide. IT Governance Ltd.
[18] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), p. 704
[19] Albrecht, J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, pp. 287 – 288.
[20] Ibid.
[21] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[22] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703-705.
[23] Albrecht, J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.
[24] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), p. 703.
[25] Albrecht, J. P. (2016). How the GDPR will change the world. Eur. Data Prot. L. Rev., 2, p. 287.
[26] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[27] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703-705.
[28] Laybats, C., & Davies, J. (2018). GDPR: Implementing the regulations. Business Information Review, 35(2), 81-83.
[29] Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), p. 704.
[30] CEPS. (2019, June). In B.B. William Rechikson (Moderator), GDPR at one year. After a successful start, new challenges include enforcement and AI. Conference conducted at the meeting of CEPS, Brussels.
[31] Ibid.
[32] Laybats, C., & Davies, J. (2018). GDPR: Implementing the regulations. Business Information Review, 35(2), 81-83.
[33] Ibid, p. 83.