Balancing rights under GDPR

Get ready for a roller-coaster ride

I finally finished reading the full text of the General Data Protection Directive, via a softcover edition I bought from Amazon.

For an electronic version of the full text, I highly recommend:

With the greater perspective ingesting the full regulation has given me, and the foundational knowledge of the online certification I took from IT Governance in the UK, I stand by my earlier assertions that the regulation is an important step forward in the Privacy world. I would go so far as to call it an upheaval— though I’m still relatively new in my investigations into online global speech and privacy issues.

That said, I discovered an article tucked away toward the back of the regulation which is important in what it does not say.

Art. 85 — Processing and freedom of expression and information

I’ll only quote the first paragraph:

1. “Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”

This speaks to a hypothetical question I explored here within the greater context of European rights, as I understand them:

I never came to a conclusive answer to that inquiry.

EU Charter conflict

Here is the underlying tension:

Article 8 of the EU Charter of Fundamental Rights guarantees protection of personal data.

“1. Everyone has the right to the protection of personal data concerning him or her.
 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

Article 11, meanwhile, guarantees rights to freedom of expression and to information.

“1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

Purpose of the GDPR

My printed version of the regulation includes a supplementary section at the end, title “Statement of the Council’s Reasons,” (PDF) which is a statement made on first reading of the regulation by the Council of the European Union. Section II spells out what the objective of the regulation is:

“The General Data Protection Regulation harmonises the data protection rules in the European Union. The objectives of the Regulation are to reinforce data protection rights of individuals, facilitate the free flow of personal data in the single market and reduce administrative burden.”

The EU’s aim here is to basically set up what’s often referred to as a “one-stop-shop” for the so-called EU Digital Single Market. Entrepreneurs are able to reference one set of legal rules for doing business within the EU (even if they are not located there, GDPR still applies if they target EU citizens). It’s a good idea in theory.

The Problem

In practice, Article 85 kicks the ball further down the road, punting responsibility to Member States (e.g., national governments in the EU) for defining how the right to protection of personal data ought to be harmonized with the rights of expression and information.

In short, this is a problem. Possibly a big problem.

There’s no single clear answer given for what may prove to be the fundamentally most challenging question posed by the entire regulation.

Entrepreneurs who might benefit from the harmonized regulation within the common GDPR framework will *still* be required to validate their corporate rules against national decisions which are very likely to differ throughout the Union.

Obviously, I support the sovereignty of the states to decide these tough issues. And Article 85 has as a provision in paragraph 3, which will hopefully make these national laws more readily discoverable:

“Each Member State shall notify to the Commission the provisions of its law which it has adopted pursuant to paragraph 2 and, without delay, any subsequent amendment law or amendment affecting them.”

That said, if part of the goal is to make a “one-stop-shop” regulation to attract foreign companies which have radically different privacy and data protection rules in their countries, the regulation significantly falls short here in its expressed burden of “reducing administrative burden.”

I will continue to investigate in subsequent installments whether EU member states have already passed laws which will apply here, but my over-riding suspicion after immersing myself in these subjects over the past couple of months is that basically no one knows, and it’s still rapidly evolving.

Companies seeking compliance with the regulation, though they have strong guidance from the text of the regulation itself, will still be reliant on Member State laws, and decisions of the various member-state data supervisory authorities, the lead supervisor authority and — I think — the European Data Protection Board.

It’s going to be a bumpy ride.