The EU’s General Data Protection Regulation (GDPR) is a culmination and refinement of over three decades of privacy regulation within the EU. It offers a compelling model for privacy regulation by treating personal data as personal property, focusing on compliance with the spirit of the regulation rather than the letter of the law, and approaching enforcement in a similar manner to that of financial regulations. It’s a humanistic and pragmatic solution to a difficult problem, and, I believe, sets a forward-looking example for privacy regulation in the US.
The protection of personal data is a right explicitly protected by the EU Charter of Fundamental Rights. By contrast, although privacy is mentioned in many state constitutions, it is not an explicitly protected right in the US Constitution. Rather, it is protected implicitly by the Constitution as interpreted by the Supreme Court. This fundamental difference in the value placed on personal data privacy explains why the conversations and activities around personal privacy in the EU and US contrast so sharply.
In 1981, all members of the Council of Europe ratified Convention 108, the Convention for the protection of individuals with regard to automatic processing of personal data.
“This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data. In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of ‘sensitive’ data on a person’s race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards. The Convention also enshrines the individual’s right to know that information is stored on him or her and, if necessary, to have it corrected.”
The treaty required signatories to pass legislation aimed at protecting individuals’ right to privacy, but did not provide much in the way of specifics, leaving the job of creating and enforcing standards and guidelines up to the governments of the enacting member states. At the time, the only widely known data privacy standard was a set of recommendations from the OECD for protecting personal data, but these guidelines were non-binding, and the treaty did not require members to implement any specific standard. The result was that Council of Europe members enacted a hugely divergent range of data protection legislation, with differing standards, definitions, and stipulations.
Realizing that this situation only impeded the free flow of data among its member states, the EU adopted Directive 95/46/EC in 1995. Also known as the Data Protection Directive, it was intended to regulate the processing of personal data within the EU. It was much better defined, incorporating all seven of the OECD’s recommendations for personal data protection, and thereby created a unified standard for data protection. However, because it was a directive, members were required to transpose it into law individually, at the national level. As you can probably imagine, this resulted in a fractured and byzantine data protection landscape, as each of the member states enacted its own data protection legislation.
In order to unify data protection regulation, improve rules around the corporate transfer of data outside the EU, and increase individual citizens’ control of personal identifying data, the European Commission, European Parliament, and the Council of the European Union proposed the General Data Protection Regulation, or GDPR, intended to supersede the Data Protection Directive, in January of 2012. It was adopted in April of 2016, published on May 4th, and went into force on May 25th of the same year. It is enforceable from May 25th, 2018 — just over nine months from the time of this writing.
Core Ideas of the GDPR
Personal Data as Personal Property
The GDPR protects not only citizens and residents, but all data subjects who are physically in the EU, and it treats personal data much like personal property — your data belongs to you, not the controller or processor of that data. To that end, it provides several related rights for individuals, listed below. Quotes are from the ICO’s website. Follow each link for more details.
The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. (link)
The right of access
Under the GDPR, individuals will have the right to obtain:
confirmation that their data is being processed;
access to their personal data; and
other supplementary information — this largely corresponds to the information that should be provided in a privacy notice (see Article 15). (link)
The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. (link)
The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. (link)
The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. (link)
The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. (link)
The right to object
Individuals have the right to object to:
processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics. (link)
Rights related to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. (link)
It also defines requirements around consent more rigorously…
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action — or in other words, a positive opt-in — consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given. (link)
…and recommends pseudonymisation measures like encryption to “reduce risks to the data subjects”.
Accountability and Enforcement
Under the GDPR, it is the responsibility of companies and organizations that collect or process personal data to protect that data by design and by default. They are also required by law to not only show that they are in compliance, but to show how they are in compliance.
Organizations will be audited by a data protection authority (DPA), who will determine whether or not they are in compliance with the spirit of the regulation, discouraging organizations from focusing on finding loopholes. Consumers can bring complaints directly to the DPA, as well, and the penalties range from a warning to a fine of €20m or 4% of their annual turnover, whichever is greater, per offense.
The GDPR represents the largest, most comprehensive regulatory effort to date to protect the data privacy rights of individuals. It will be interesting to see how its adoption plays out, and I’m sure there will be lots of lessons learned along the way. However, in my opinion, the stipulations laid out in the GDPR’s principles, articles, and recitals admirably incentivize organizations to be good stewards of personal data and places control of personal data more firmly into the hands of individuals where it belongs — something I hope to see happen in the US in the near future.
There is more to the GDPR than can be covered here. If you are interested in data privacy, I recommend reading the GDPR in full, as well as related legislation, websites, and analysis. Here are a few links to get you started:
- GDPR Infographic, on the European Commission website
- Original proposal for the GDPR, by the European Commission
- The GDPR on EUR-Lex
- The ICO’s Overview of the General Data Protection Regulation (GDPR), and its self-assessment tool
- The “Protecting your personal data” section of the European Commission’s website
Credits: This post reflects my own opinions, and is based on notes I took in a workshop I attended on the GDPR given by Tim Walters, PhD, and my own research.
Disclaimer: This post does not offer legal advice. This is free. Legal advice you have to pay for. If you need legal advice, consult with a lawyer instead of a blog.