Around the World in 99 Articles: The Implications of GDPR in the EU and Abroad
tl;dr: With transnational companies’ great power comes great responsibility for protecting data.
Pop-up advertisements are old news. Enter pop-up messages asking Internet users about their cookie preferences. As a result of the implementation of the General Data Protection Regulation (GDPR) of the European Union in May 2018, users have been prompted to give their consent for web identifiers such as cookies to be collected and stored. Yet the purposes of GDPR and its implications for small, medium, and large businesses remain unexplored amid mixed opinions of criticism and praise aimed at the regulation.
Even though GDPR manifests itself through pop-up messages asking for users’ cookie preferences, the regulation extends to include personal data such as basic identity information, web data as well as sensitive data such as health, genetic and biometric data, racial or ethnic data, political opinions, and sexual orientation. Furthermore, GDPR is distinct for its inclusion of pseudonymized personal data under the rule of law.
Replacing the EU Directive on Data Protection, which dates back to 1995, GDPR is planned as an updated regulation, suited to fit the transformations that have occurred since the commercialization of the Internet from the time that the Directive on Data Protection was introduced (Burri & Schär 2016).
Following revelations about the collection and storage of data of unaware users by corporations, the implementation of GDPR grants users the right to control who and how manages their data, the right to request the removal of their data, and the “right to be forgotten”.
The regulation affects the activities of any company but with a specific focus on technology firms and marketers which will be scrutinized more closely as they collect vast amounts of data from users around the globe. Non-compliant companies could face fines of up to four per cent of their revenue.
Despite the fact that GDPR was drafted and implemented in the EU, the implications and effects of the legislation are as geographically fluid as the flow of data itself. In fact, GDPR also affects the foreign companies which do not conduct direct business activities with any of the member states of the Union. More particularly, the regulation covers any organization operating within the borders of the Union as well as any outside organization which offers goods and services to EU citizens.
As such, the practical implications of GDPR extend beyond the borders of the Union and include the United States as the home of the headquarters of digital platforms such as Facebook and Google. While some websites and platforms allow users to manage their cookie preferences or even decline them altogether, Facebook and Google have found a loophole and force their users to opt-in, that is, agree with the platform’s policy.
Consequently, Facebook and Google have been accused of offering pretense control of users over their data and obstructing users’ abilities to delete their data respectively. Even further, the two companies have been dealing with lawsuits regarding their compliance with GDPR from the day the regulation was implemented. As a result of those lawsuits, Facebook and Google are facing the threat of fines amounting to 3.9 billion euro and 3.7 billion euro respectively.
On the other hand, some argue that GDPR has introduced draconian measures which were designed to target Facebook and Google from the outset. More particularly, Facebook has blamed the new regulation for a decline in monthly active users of the platform in Europe as well as a reduction of advertising revenue. Still others point at the damage that GDPR is doing to small start-up companies which do not have the resources of giants such as Facebook and Google.
Despite the backlash against GDPR and its effects on small firms and giants alike, the regulation is still in force and mechanisms measuring those effects have been set up. As of February 2019, 59,000 data breaches in the EU solely have been brought to light and documented as per the regulation of GDPR. Statistics on information collected in France, Germany, Ireland, Italy, Poland, Romania, Sweden, and the United Kingdom show that not only are complaints and breach notifications brought to regulatory authorities, but some industry associations have submitted their codes of conduct and more are expected.
What poses a great difficulty regardless of location and state-specific legislation is the conflict underpinning the regulation: privacy as a liberty versus security. Users’ privacy and the control of their personal and sensitive data are rights clashing with governments’ insisting on allowing state authorities and businesses to collect and store users’ data in order to protect them.
For that reason, no absolute position on the effectiveness of GDPR, much of which have been expressed since the initiation of the draft, can be taken as authoritative. Yet a few key aspects of the legislation should be taken into consideration in the course of work as a media professional in the international media landscape.
These three key features of the GDPR, bearing implications for media professionals as well as the organizations they work, indicate that the regulation exerts control not only around the world but also over business processes from their very launch and over data collected prior to the introduction of the regulation.:
GDPR provides more specific definitions of personal data than the Directive on Data Protection and includes biometric data and metadata such as IP addresses which can identify a particular Internet user. For that reason, business entities of any size both within the EU and in other parts of the world should keep the nature of the data they store into consideration in order to be compliant with the regulation. As the definition of personal and identity data is more expansive and more specific than the one in the Directive on Data Protection, organizations have more requirements and less room for exploiting loopholes in the language of the legislation.
In line with the needs of social media platforms and transnational corporations, GDPR established mechanisms which ensure that cross-border data transfers meet specific criteria of protection. More specifically, such transfers to third countries, that is, countries outside the Union, need to be permitted through a decision made by the European Commission. Such a permission, called Adequacy Decision, is based on criteria such as access to justice, international human rights norms, legislation concerning public security, defense and national security, and public order that are established in those third countries. If such a decision cannot be made, then other safeguard measures will be taken so as to ensure that users’ data is protected wherever it lands beyond the Union borders.
Organizations are required to follow the principle of privacy by design. In other words, newly established businesses which collect and handle data should remain compliant with the regulation from the inception of their processes while others should erase data that is not in use.
In brief, a contemporary media professional needs to be well informed of the latest developments in regulation on the works of the industry regardless of their location. Given the fluid nature of data, journalists in any part of the world are equally required to have a clear understanding of the definition of personal data and how they can handle it without violating the law. Finally, the protection of data is not solely ensured on institutional level but, as professionals who handle personal data as part of their stories, journalists also need to take measures to that end.
References
Burri, M. & Schär, R. (2016). The Reform of the EU Data Protection Framework: Outlining Key Changes and AssessingTheir Fitness for a Data-Driven Economy. Journal of Information Policy, 6, pp. 479–511. Retrieved from https://www.jstor.org/stable/10.5325/jinfopoli.6.2016.0479
