The European Union’s biggest reform of data protection laws in over 20 years – the new General Data Protection Regulation or GDPR – has become effective as of May 25.
This means that every individual, company or organisation that processes personal data from European citizens now has to comply to the same set of newly upscaled rules regarding the gathering, storage, and protection of user data. The regulation replaces an old directive dating back to 1995 and arguably could not come at a more significant time when recently 2.7 million Europeans were affected by a shockingly large data mining operation from a company called Cambridge Analytica. Considering the current speed of technological innovation, a rigorous legislative update became a necessity to safeguard people’s online privacy.
The GDPR introduces a number of significant changes. First, it establishes a “right to be forgotten”, which gives every European user the right to have online information about them removed on request. Consent for data collection and storage has to be explicitly given, and not in a pop up full of complicated legal language to which one can ‘Agree’ or ‘Not Agree’, but in an “intelligible and easily accessible form, using clear and plain language”. Another new rule, given the name “Privacy by Design”, is that only data that is strictly necessary can be collected and stored, and it must be protected as soon as it is saved. Shocking that a rule like this was not in place before, isn’t it?
Other aspects of the GDPR include extended responsibilities and capabilities for data protection authorities, and the installation of a European Data Protection Board as a supranational regulator. Breaking the rules can lead to fines of up to 20 million euros or in certain cases a maximum of 4 percent of previous year’s worldwide turnover (which could be a lot more than 20 million). Plenty of reason to comply.
Due to extensive commercial ties with Europe, other countries appear eager to follow Europe’s example and are embarking on a remodeling of their domestic data protection standards to avoid any future trouble. The European Union has successfully managed to export its norms into the wider world, possibly influencing not only countries but also tech giants’ global privacy policies, or so it seems. Replacing a directive with a regulation, which brings much tighter implementation requirements, signals that the EU is ready to tighten its grip on privacy and data protection. Arguably, a gigantic overhaul of legislation in a world as closely connected as ours would only really make a difference when others go along with that same flow. In this case, the European Union’s power to shape global norms, backed by its economic weight, seems to pay off.
There is no denying that this new European data protection framework is an important and much needed step, but unfortunately, it should also be recognized that the knife cuts both ways. Some people have warned the new regulation plays straight into the hands of cybercriminals. The WHOIS database, one of the prime global tools for fighting cybercrime, would be rendered useless as its model is based on information storage and thus would be in breach of the GDPR. WHOIS allows one to look up internet domains to find out the domain holder, meaning its entire model is based on the storage and availability of that data. The absence of the database is predicted to have as a consequence that “every form of cybercrime is going to increase noticeably”. A very unwelcome side effect that should probably be tackled.
Problems also arise in the area of anti-fraud and money laundering policies. Financial companies struggle as they have to navigate an avalanche of revised legislation in 2018 with new versions of the Markets in Financial Instruments Directive, Payments Services Directive, and Anti-Money Laundering Directive. The GDPR contradicts certain elements of these, making it seemingly impossible to achieve full compliance with EU law. For example, the Anti-Money Laundering Directive requires a longer retention of information for combatting fraud, whereas the GDPR tightly restricts such practices. Discussions about the precise details of implementation appear to be ongoing, signaling that some fine-tuning might be necessary in this area too.
The GDPR gives European users a lot more control over what happens to their personal data on the world wide web, and notably increases their rights and protections. But the broad scope of this regulation extends its effect into new domains where it does not always seem to function in a similar manner. Time will tell whether this is going to give rise to insurmountable problems, and perhaps future recasts of the regulation are not unthinkable. To smooth out the bumps in this fresh piece of legislation, the GDPR should continue to develop along with the ever-accelerating growth of technology. Only then can it truly serve the purpose it was meant to and also become a new flagship of the EU’s normative influence in the world.