Europe’s Data Privacy Rules Set New Global Approach to Consumer Rights
Arguably the biggest change to the regulatory landscape to influence the digital economy – the General Data Protection Regulation (GDPR) – took effect in the European Union last Friday. Its impacts will be felt globally as businesses doing business with the EU seek to comply. Aimed at protecting and regulating the use of personal information, this comprehensive set of rules seeks to harmonise data privacy laws across Europe, enhance EU citizens’ rights to manage their personal data, and reshape the way organisations across the region operate in the digital domain.
“I think there is no doubt that data protection is crucial for our citizens as personal data protection is a fundamental right in the EU. But it is also crucial for our business as data protection is a gateway issue for trust in the digital economy,” said Věra Jourová, the European Commissioner for Justice, Consumers and Gender Equality.
The regulation will give Europeans more control over their personal data and ensure its protection – no matter where it is sent, processed, or stored – even outside the EU.
“Data protection is directly linked to trust. When individuals are afraid that others will not respect their privacy or fail to guarantee the security of their data, they lose confidence and become reluctant to share those data. Trust is thus a key resource of the digital economy,” said Jourová.
“More than 9 in 10 Europeans told us they want the same data protection rights across the EU – and as of today this will be the reality,” she added.
The European Commission considers that the new rules will stimulate economic growth through cutting costs and red tape for European businesses, including small and medium-sized enterprises. Companies will now have to comply with continent-wide rules, instead of 28 different sets of regulations.
Personal data collected, analysed, and moved across the globe has acquired substantial economic significance. According to Commission estimates, the total value of EU citizens’ data has the potential to grow to €1 trillion annually by 2020.
The unprecedented scope of GDPR puts Europe at the forefront of global privacy regulation. “The new rules are beginning to set a global standard for privacy. They will help to bring back the trust we need to be successful in a global digital economy,” said Jourová.
GDPR is a product of years of intense negotiations, including thousands of proposed amendments, with the building blocks having been present in European law for over two decades. The new rules supersede the 1995 Data Protection Directive, which regulated the processing of personal data, guided by the principles of transparency, legitimate purpose, and proportionality.
GDPR differs fundamentally from the previous regulation in its application and enforcement. The former imposes a common set of rules for the entire Union, and also applies extraterritorially to all companies regardless of location. Enforcement relates to the capacity of regulators to fine any company for non-compliance with GDPR.
What is GDPR about?
The new data protection regulation consists of 11 chapters broken down into 99 articles covering the rights of “data subjects” (people residing on the territory of the EU); the responsibilities of the controllers and processors of data; transfers of personal data to third countries or international organisations; the actions of independent supervisory authorities; and the applications of remedies, liabilities, and penalties.
The regulation also clarifies what constitutes personal data. This includes name, address, localisation, online identifier, health, and income information, cultural profile, and other personal characteristics.
The major part concerns the rights of data subjects. Under GDPR, all citizens residing in an EU country have a right to access their personal information, which essentially means that they can seek and obtain confirmation as to whether their personal data is being processed, where, and for what purpose. The controller, in turn, must provide the copy of this data in electronic format free of charge.
The right to erasure, commonly known as “the right to be forgotten,” allows people to request that the data controller erases personal data and ceases its further dissemination, potentially halting third parties from using this information. This can happen when the data is no longer relevant to the original processing purpose, or when a data subject decides to withdraw consent on data usage
Data portability – a highly debated aspect of GDPR – ensures that data subjects can receive from a controller personal data which they have previously provided, and transmit it to another controller.
“Data protection by design” is another key concept, which has existed for years and has now become a part of legal requirements under GDPR. This requirement stipulates that data protection safeguards are built into products and services from an earlier stage of development, and that privacy-friendly settings are the default norm.
When it comes to the responsibility of businesses, GDPR imposes restrictions on the processing of personal information and can enforce compliance through stiff penalties.
Companies can no longer employ long and opaque conditions for user consent regarding the processing of personal data. All such requests for consent must be made in simple and accessible forms, notifying data subjects on how exactly their data is going to be used and processed. Consent must be distinguishable from all other matters, including any additional information provided at the moment of signing the consent form, written in clear and plain language.
Non-compliance with GDPR can lead to serious financial consequences. The approach to penalties is tiered, depending on the nature of the violation. Fines can reach up to 4 percent of a company’s annual turnover or €20 million, whichever is greater. This maximum fine can be imposed for the most serious infringements, such as using and processing personal data without sufficient consent or violating the principle of data protection by design. Failure to maintain data records in order or to notify the supervising authority on a data breach can result in a fine of 2 percent of a company’s annual turnover.
Importantly, penalties apply to both controllers and processors of data, meaning that “cloud services” will not be exempt from enforcement.
Data breach notification under GDPR has become mandatory in all cases when it is likely to “result in a risk for the rights and freedoms of individuals.” Companies must report a data breach within 72 hours of first becoming aware of having been exposed, while data processors have to notify customers and controllers “without undue delay.”
At the same time, GDPR provides businesses with a simplified operational framework. Single pan-European law applies to all operators instead of the inconsistent patchwork of national laws that previously existed. The estimated benefits of harmonisation could reach €2.3 billion per year, according to the Commission.
In addition, a “one-stop-shop” for businesses ensures that companies will only have to deal with a single EU-wide supervisory authority.
The most significant change is arguably the extended jurisdiction of GDPR, as the rules apply to all companies doing business on the territory of the EU single market, even when based outside of the Union. “This creates a level playing field,” according to the Commission.
On Friday 25 May, when GDPR became fully applicable in the EU, dozens of websites reportedly had to shut down their activities. Others urged users to agree to updated privacy rules, flooding e-mail accounts with requests to opt in or out of mailing lists.
US-based news services The Chicago Tribune, the Los Angeles Times, and The New York Daily News websites displayed a warning message that their services were currently “unavailable in most European countries.”
Facebook, Google, and Facebook-owned Instagram and WhatsApp immediately came under scrutiny in four separate cases in Austria, Belgium, France, and Germany as the regulation took effect.
An activist privacy non-profit organisation, noyb.eu, filed complaints against these social media platforms regarding an alleged breach of GDPR rules requiring companies to obtain explicit consent from their users prior to processing personal data.
Max Schrems, the Austrian lawyer and founder of noyb.eu who launched these complaints was also behind the landmark lawsuit which effectively ended the Safe Harbour data sharing agreement between the EU and US.
The controversial deal consisted of a set of principles developed between 1998 and 2000 to prevent private organisations across the Atlantic to accidentally disclose or lose personal information. The agreement was overturned in 2015 by the European Court of Justice on the basis of a complaint filed in 2013 against Facebook regarding insufficient protection of data.
EU Digital Single Market
GDPR falls within the broader agenda of the Digital Single Market (DSM) – a comprehensive strategy designed to create a common set of EU-wide rules intended to ease cross-border e-commerce and better integrate the bloc and prepare it for the digital age. (See Bridges Weekly, 26 October 2017)
Adopted in May 2015, the DSM strategy includes measures to boost e-commerce development and make cross-border parcel delivery more efficient, modernise EU copyright rules, update audiovisual rules, and enhance cybersecurity, among others. (See Bridges Weekly, 22 March 2018)
Earlier this month, the Commission published the results of the 2018 Digital Economy and Society Index, a tool which monitors the performance of EU members in digital connectivity, digital skills, online activity, the digitisation of businesses, and digital public services.
“This is a shift, albeit small, in the right digital direction. As a whole, the EU is making progress but not yet enough. In the meantime, other countries and regions around the world are improving faster. This is why we should invest more in digital and also complete the Digital Single Market as soon as possible: to boost Europe’s digital performance, provide first-class connectivity, online public services and a thriving e-commerce sector,” said Andrus Ansip, Vice-President for the Digital Single Market.
The EU’s executive arm has identified three main areas where “further action is needed,” including developing the potential of the data economy, tackling cybersecurity challenges, and promoting online platforms.
According to the European Commission, DSM could contribute €415 billion per year to the bloc’s economy and generate “hundreds of thousands” of new jobs.
Data regulation, trade cooperation, and sustainable development
Data regulations and broader concepts surrounding the digital economy have become an important element in trade and sustainability objectives. According to the United Nations Conference on Trade and Development (UNCTAD), a wide range of socio-economic activities is moving online, transforming businesses and people-to-people interactions.
Against this background, world leaders have underscored the importance of adopting relevant policy responses for achieving the Sustainable Development Goals (SDGs).
“We at UNCTAD are excited by the transformational power of digitalization, but we must recognize that the Internet is not a panacea,” UNCTAD Secretary-General Mukhisa Kituyi said. “Effective national and international policies are needed to make sure the gains are spread evenly across as well as within countries,” he added.
International regulation of data privacy and digital trade in general is fragmented and largely regional in nature. Besides the EU, data privacy is on the agenda of Asia Pacific Economic Cooperation (APEC), comprising 21 economies on both sides of the Pacific ocean. Many recently negotiated trade agreements, such as EU-Canada Comprehensive Economic and Trade Agreement (CETA) and Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), view data privacy as an integral part of e-commerce development and economic cooperation.
Issues around the digital economy have also been increasingly featured in the G20 agenda for the past several years, where global leaders are seeking to improve coordination around management of the digital economy and e-commerce.
This has included meetings of ministers responsible for digital issues as well as a focus in the Trade and Investment Working Group (TIWG). Under the current rotating Argentine presidency, the Think 20, a network of research institutes and independent think tanks providing analysis to G20 leaders, will soon release a series of policy briefs and recommendations on how the group of major advanced and emerging economies should manage these issues.
ICTSD Reporting; “GDPR: US news sites unavailable to EU users under new rules,” BBC NEWS, 25 May 2018; “Sites block users, shut down activities and flood inboxes as GDPR rules loom,” THE GUARDIAN, 24 May 2018; “Blocking 500 million users is easier than complying with Europe’s new rules,” BLOOMBERG, 25 May 2018; “Silicon Valley giants hit with first complaints on day one of GDPR,” EURACTIV, 25 May 2018.