After four years of preparation and debate the EU’s General Data Protection Regulation (“GDPR”) was finally approved by the EU Parliament on April 14, 2016, coming in to effect on May 25, 2018. Nine months after its enforcement, this article seeks to examine its impacts on individuals as well as businesses.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches. To be protected under the GDPR, you have to either be a citizen of EU or be located in the EU, no matter where you are from. GDPR protects privacy rights of data subjects, including Right to Access, Right to be Forgotten, and Right to Data Portability.
The Right to Access provides for data subjects’ right to obtain confirmation from the data controller on whether their personal data is being processed, where and for what purpose. The controller also needs to provide a copy of the personal data in an electronic format.
The Right to be Forgotten/Right to Erasure is protected by article 17 of GDPR and entitles the data subject to have the data controller erase personal data, cease further dissemination and potentially have third parties stop processing the data. This provision requires the data controller to compare the subjects’ rights to the public interest when considering such requests to erase personal data.
The Right to data portability, under article 20, stipulates data subjects’ right to receive their personal data from a controller and to have the data transmitted to another controller. In other words, if you wish to move to a new social media platform, you can directly request your personal data be transferred to another company when it is technically feasible.
Organizations disregarding these rights of data subjects and thus are in breach of GDPR can be fined up to 4% of annual global turnover or € 20 Million (whichever is greater). GDPR takes a tiered approach to fines; for example, a company can be fined 2% of its annual global turnover for not having their records in order or not notifying the supervising authority and data subject about its breach.
These rights of individuals along with other privacy rights, are further protected by the extended jurisdiction of the Regulation, as it applies to all companies processing the personal data of data subjects residing in EU, regardless of the company’s location. This extraterritorial applicability, along with potential huge fines, is contrived to prevent global technological companies from infringing upon EU citizens’ rights protected under GDPR.
Individuals and NGOs concerned about increasing capability of private companies and government bodies to collect and process private information online enthusiastically lauded the enactment of the Regulation with eager expectation. The torrent of data-related scandals in 2018 which drive new popular awareness of popular issues incited this enthusiasm further. Indeed, NGOs and individuals have filed series of complaints aimed at companies like Google, Instagram, WhatsApp and Facebook, along with other tech companies. Even before key enforcement decisions on these complaints, GDPR inspired government authorities and lawmakers around the world. For example, Chile amended its constitution to include data protection rights, India’s legislators introduced a draft of new legal privacy framework with broader range, and Brazil passed its own GDPR-inspired bill. However, the popularity and the wide powers of law do not always result in its intended consequences—in this case, better protection of individuals’ privacy rights and freedom. In Romania, for example, the data protection authority has already made use of the Regulation to threaten journalists investigating corruption and to force them to reveal their sources.
Others are also concerned that GDPR would impose undue burden to businesses operating inside and outside of the Union. The Right to Data Portability requires companies to provide individuals their information in a structured, commonly used, and machine-readable format. This is necessary in order to make one’s data easily transferrable to other companies at the request of the data subjects. In addition, compared to huge tech companies such as Facebook, Google and Amazon, small and medium-sized businesses would have much less resources to pour into their tech and legal teams for compliance and would be more vulnerable to potential fines and penalties. This could deter emerging businesses from operating in the region, and present a huge obstacle to future innovations. Indeed, some pointed out that GDPR could create roadblocks for companies from making use of any data that may fall under the regulation to develop blockchain technology.
In addition, companies have found ways to circumvent the Regulation, sometimes at the expense of the consumers. When GDPR came into effect, one of the immediate reactions of numerous U.S. websites was to deny or restrict access to EU visitors. Clearly, they were not ready to prepare for GDPR compliance, despite the two years of time given before the regulation was enforced. Moreover, companies have found ways to avoid GDPR’s reinforcement of the conditions for consent that reques the request for consent given in an intelligible and easily accessible form. Consumers are now being confronted with “consent management” pop-ups enabling consent with one click but imposing an obstacle for future course for those who want to refuse.
It has become increasingly important to secure individual privacy and data security in the face of advancement of technology and the capability of huge tech firms to make use of the data, sometimes without data subjects’ knowledge. However, it is also important to recognize possible drawbacks and limitations of harsh measures for protection before hurriedly employing such legislations, simply inspired by GDPR. Given the relatively short history of the Regulation, it seems to be more prudent approach to observe and analyze the consequences of GDPR and how the EU deals with those consequences before adopting any drastic measures.
Kenneth Kim is a J.D. candidate, 2020, at NYU School of Law.