The General Data Protection Regulation: An overview of its impact on European Society

Campbell Whyte - JF Law & French

Introduction

In the 21st century, the line between public life and private life is becoming increasingly blurred. Our lives are more online now than ever before. While this loss of privacy is due in part to our own willingness to share on social media, it is also due in part to the necessity of providing personal information online. This article will cover how the European Union has sought to protect privacy in the past and how it continues to do so today.

To exist in the digital age, individuals are required to digitize much sensitive information about themselves: Social media websites store email addresses, dates of birth and much more, hospitals can access detailed medical records, banks store PPS numbers and addresses, and shopping websites retain credit card information. There is little choice but to trust the security and ethics of businesses when giving them information, and while avoiding social media and online shopping may be possible, avoiding institutions such as banks, schools and hospitals is next to impossible. In order to counteract this loss of privacy and to protect people’s personal information, the European Parliament and Council agreed on the General Data Protection Regulation[1] (GDPR) in April 2016.

The GDPR as an International Document

The GDPR will come into effect on 25 May 2018, and companies must show compliance by that date. The GDPR is a significant piece of legislation which took five years to draft and consists of 87 pages and 99 articles subdivided into 11 chapters. It replaces the 1995 Data Protection Directive[2] and is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”[3]

The Data Protection Directive, passed to protect citizens in 1995, does not properly address the challenges to privacy in 2018, and the GDPR is designed to modernize data protection practices. Some of the data protected by the GDPR and now stored in online databases is basic identity information including name, address, ID number, and web data such as location, IP address, cookie data, health and genetic data, racial or ethnic data, political opinions and sexual orientation. The GDPR emphasises transparency and customer control and is intended to standardize data security laws, though individual states still retain some freedom.[4]

Under the GDPR, the European Union has much greater authority for prosecuting crimes involving personal privacy. As the GDPR is a Regulation instead of a Directive, it does not need to be incorporated into each country’s body of legislation to take legal force. The GDPR applies to all companies handling the personal information of EU citizens, even if the company is based outside of the EU. Non-EU companies processing the data of EU citizens will have to appoint an EU representative.[5]

Customer Rights under the GDPR

Under the GDPR, customers in the EU have new rights regarding their own data, and informed customer consent is paramount. Terms and conditions must be in an understandable language, retracting consent must be as easy as giving consent, and where consent to use data has been given previously for one purpose, consent must be given again if the company wants to use the data for a new purpose.[6]

Organisations offering online services to children under sixteen must get parental consent to process data, and these organisations are also obliged to make a reasonable effort to verify the age or parental consent of young data subjects. Customers have the right to not be subject to a decision made solely by automated processing that significantly impacts them; this in effect makes nonconsensual profiling illegal unless it is permitted by EU law or unless it is necessary for the fulfillment of a contract.[7]

Data subjects have the right to know what personal data of theirs is being processed and for what purpose, to ask for an electronic copy of their personal data free of charge, and to have this information transmitted to another company. Data subjects are also entitled to have companies erase all their personal data and halt all further dissemination and processing of it upon request, and companies are obliged to erase data that is no longer relevant to the original purpose for which it was collected.[8]

Impact on Business and the Public Sector

Almost all companies and public sector organizations are subject to the GDPR. All organizations whose core operations include processing a significant volume of personal data are obliged to appoint a Data Protections Officer who must be sufficiently well-resourced to carry out his/her duties. The tasks of the Data Protections Officer include notifying data processors of their legal obligations, monitoring compliance under the GDPR and reporting to senior management.[9] The Data Protections Officers must also ensure that companies give a full description of any breaches of personal data to the relevant Data Protections Authority without delay, including the approximate number of people affected, the likely consequences of the breach, and the measures being taken to mitigate the effects on customers.[10]

Legal Penalties for Non-Compliance

Under the GDPR, data infringements, such as insufficient customer consent to process data, poorly organized records, or failure to notify authorities about a data breach, will have greater penalties calculated as a percentage of the company’s annual turnover. There are two tiers of offences, and for more minor offences, a maximum fine of €10,000,000 or 2% of the company’s total annual turnover from the previous year may be imposed. This includes breaches of privacy by design obligations, failure to keep adequate records and failure to meet security requirements. For more severe offences, the maximum fine is €20,000,000 or 4% of the company’s annual turnover.[11] This includes breaches of the basic principles of data processing, infringements of conditions of consent and illegal transfers of data to countries outside of the European Union. These are very significant fines and will be very persuasive in terms of compliance. Companies found to be in violation of the GDPR will be fined without trial, as is current practice, but they may appeal the fine to courts in their own country.

Costs of the GDPR

The GDPR has supporters and detractors among companies that process large amounts of customer data. According to a PwC survey, 68% of US based companies expected to spend $1m to $2m to meet the requirements, and another 9% expected to spend more than $10m.[12] In May 2017, the Irish Data Protection Commissioner estimated that 70% of Irish businesses do not know when the GDPR comes into effect; 25% of businesses do not know when they will start preparations and 83% are unable to name any GDPR changes for their business.[13] Many law firms are profiting by training corporate clients in GDPR compliance, yet smaller firms and charities are concerned that they will not be able to afford such legal counsel. The GDPR may be difficult to enforce, and small businesses that can’t afford sophisticated legal counsel may be hurt by this. As regards large businesses, the consulting firm, Oliver Wyman, predicts that companies in the FTSE 100 index could pay up to £5 billion a year in non-compliance fines when the GDPR comes into effect.[14] However, firms who implement privacy systems compliant with the GDPR could see benefits in the near future, as customers will likely have a preference for companies with strong data protection and fewer data breaches.

The potential impact of the GDPR

The GDPR has the power to effect sweeping change in how companies respect citizens’ data rights, and prevent breaches of privacy that are becoming far too common today. For example, Google has been criticized by the French CNIL for storing customers’ online data for up to two years, for failing to give customers sufficient information on how their data will be used and how long it will be stored, and for failing to cooperate with commissioners. The GDPR could very well make Europe an example to the rest of the world of how to legislate and protect privacy, and as such countries which are not bound by the GDPR may decide to revise their own outdated and insufficient data laws. For example, the US has individual sector-specific regulations but no overarching data privacy legislation, and the UK is not bound by the GDPR now that it has exited the European Union, and both may soon see a need to implement legislation similar to the GDPR.

Conclusion

The GDPR is not without its faults. Some have criticised it for its extraterritorial jurisdiction and concerns about enforceability; others for stifling business through over-regulation. Indeed, it is a substantial piece of legislation, and the first few years may present difficulties while organizations try to adapt. However, these problems do not negate the potential of the GDPR to create long lasting benefits in not just Europe but the world.[15]

For years now the loss of privacy has been lamented as inevitable, and though it is inevitable to some degree, recent change shows that it is not completely unavoidable. Pessimistic beliefs that privacy is dead only lead to an attitude of complacency and acceptance towards violations of rights and thus hasten the demise of privacy. Acts, such as the GDPR, effect genuine change and show us that we are not obliged to passively accept a world in which companies disrespect customer privacy with impunity.

[1] 2016/679

[2] 95/46/EC

[3] European Union General Data Protection Regulation Portal <https://www.eugdpr.org> accessed 5 January 2018

[4] https://www.dataprotection.ie/docs/GDPR/1623.htm

[5] https://www.eugdpr.org/key-changes.html

[6] https://dataprotection.ie/viewdoc.asp?DocID=1629&ad=1

[7] https://dataprotection.ie/viewdoc.asp?DocID=1629&ad=1

[8] https://www.eugdpr.org/key-changes.html

[9] ‘General Data Protections: 6 Things You Need to Know’, <https://www.mhc.ie/latest/insights/general-data-protection-regulation-6-things-you-need-to-know> accessed 6 January 2018>

[10] ‘The GDPR and You’, Data Protection Commissioner <https://www.dataprotection.ie/docimages/documents/The%20GDPR%20and%20You.pdf >

[11]‘Reforming Data Protection Law: Introducing the General Data Protection Regulation’ <https://www.mhc.ie/latest/blog/reforming-data-protection-law-introducing-the-general-data-protection-regulation> accessed 2 January 2018

[12] ‘GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey’

<https://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html> accessed 3 January 2018

[13] ‘One year to game-changing General Data Protection Regulation but just 14% of SMEs have begun getting ready’

<https://www.dataprotection.ie/docs/EN/25-05-2017-Press-release-1-year-to-GDPR/i/1635.htm> accesssed 3 January 2018

[14]<http://www.oliverwyman.com/media-center/2017/may/ftse-100-companies-could-face-up-to-p5-billion-a-year-in-fines-w.html>

[15] Charles Arthur, ‘Google Privacy Policy Slammed by EU Data Protection Chiefs’ The Guardian (16 October 2012), <https://www.theguardian.com/technology/2012/oct/16/google-privacy-policies-eu-data-protection> accessed 5 January 2018.

Leave a Reply