E.U.’s GDPR: A Messy, Imperfect Result of a Democratic Compromise
About the author: Damira Khatam is a Doctor of Science of Law (J.S.D.) candidate at Stanford Law School. She was awarded an FSI large research grant in Spring 2019 and traveled to Brussels and London to conduct her research.
If data is the new oil that fuels the global economy, we need regulations to prevent spills and pollution. In 2016, the European Union revised its data protection rules and enacted a new law, the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018. It applies directly in each of the E.U.’s 28 member states and imposes a set of stringent rules on both public and private institutions that collect personal information of individuals. The GDPR’s text and the legislative process are unique in many ways. It was a result of over 4000 amendments making it the most lobbied regulation in the history of the European Parliament. It is backed by unprecedented penalties for privacy violations of up to 4% of the company’s global turnover and has had a significant impact on data processing around the world. Since GDPR enactment, many jurisdictions have been adopting GDPR-like privacy laws, including Japan, Brazil, and the California Consumer Privacy Act.
With an FSI grant, I went on a research trip to Europe to learn more about the GDPR legislative history, the role that various stakeholders played in negotiating the GDPR, and its global impact. I conducted semi-structured, anonymous interviews of European lawmakers, data protection agencies (DPAs), and experts within the civil society and private sector.
During my trip, I was able to collect a broad range of viewpoints. The private sector interviewees expressed frustration over GDPR’s ambiguous provisions and issues around the consistency in interpretation and enforcement among various DPAs. About 20% of complaints are related to cross-border data processing; and, thus, require coordination among DPAs. Some of these concerns, particularly related to the consistency mechanisms, were echoed by the DPAs. But at the same time, DPAs were excited about the new forms of collaboration that the new structure entails. One official from CNIL, France’s DPA, observed that although it is a learning curve, they’ve managed to find a common approach so far and feel inspired by the historical importance of the work the DPAs do together.
The interviewees from the E.U. Commission, E.U. Parliament and the Council of the European Union — the three law-making bodies that produced the GDPR — were, for the most part, proud with the outcome. They acknowledged the GDPR’s limitations but observed that it was a result of a compromise among divergent interests in 28 different countries that tried to balance individual privacy rights on one side and business innovation and economic growth in the digital economy on the other. And as with any compromise, it’s imperfect.
The role of lobbying, especially by American tech giants and the U.S. Government with the goal of “watering down” individual privacy protections, was significant in the GDPR legislative process. Interviewees within the E.U. Commission and the Parliament, in particular, complained about lobbying, which they characterized as aggressive and unprecedented. However, many observed that following Edward Snowden’s revelations about mass surveillance, the lobbying backfired and, in the end, amplified the urgency of adopting new data privacy rules.
On the last day of my trip, I went to the Parliamentarium in Brussels, the E.U. Parliament’s visitor center that contains interactive exhibits describing the history, benefits and public criticisms of the European Union. As I learned more about the creation and evolution of the European Union, I couldn’t help but draw parallels between the E.U. as an institution and the GDPR: both messy, imperfect results of the democratic process. But as Winston Churchill famously observed “[n]o one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time.” Just like democracy, GDPR isn’t perfect, but it is an important milestone for privacy in the digital age.
