It's been three years this week since one of Europe's most groundbreaking pieces of legislation, the General Data Protection Regulation (GDPR), came into force.
Although it is European legislation, the GDPR’s impact has been global. Once in place, it established a high data protection bar for Europeans, and not just for EU-based organisations. As of May 25th, 2018, any entity anywhere has had to comply with the GDPR if it wants to do business with the people within one of the world’s largest economic markets.
Pre-GDPR, the EU already had some of the world’s strongest data protection laws but they lacked the sharp teeth of consequential enforcement. Beyond EU borders, they were generally considered so meaningless as to be routinely ignored.
Such scepticism was warranted. But that changed after a succession of European data protection milestones (most involving Ireland) in quick succession. First, in a case brought by Digital Rights Ireland against the State's data retention laws, the European Court of Justice (ECJ) decided in 2014 to invalidate the entire EU Data Retention Directive.
The following year, the ECJ gave its ruling in the first case brought by activist Max Schrems, after he sought a judicial review following a ruling by the Irish Data Protection Commissioner over a complaint he filed against Facebook. The ECJ ruled in Schrems's favour and, in the process, declared the existing EU-US data transfer protocol, Safe Harbour, invalid.
These cases informed the drafting of the GDPR, which had to be shaped to accommodate the opinion of Europe’s highest court – a body that had not previously weighed in on data protection issues with such force and clarity.
EU officials were well aware of the far-reaching nature of the GDPR and recognised that, with its significant protections, compliance requirements, and wake-up-and-pay-attention punishments (a fine of 4 per cent of global revenue tends to grab notice), organisations should be granted time to prepare for compliance. Hence, they gave them two years to get ready. The GDPR was actually passed as law in April 2016, technically making it five years old, not three.
Current status
Where are we now with GDPR? On the negative side: the regular silly citations of supposedly GDPR-mandated, minor outrages (which never actually are GDPR-mandated). These lead people to believe wrongly that a law which gives them significant protections is there to eat away at perceived conveniences – whether it be signing a visitor guestbook or getting their hair coloured. It does not.
This is connected to another negative: the growth in organisations using the GDPR as a reason not to disclose information they are lawfully required to release – for example, in compliance with valid Freedom of Information requests. The GDPR is too often used as a bureaucratic dodge to avoid public scrutiny.
Some of the GDPR remains functionally clunky, with Ireland a case in point. The one-stop-shop mechanism, under which many important complaints about tech multinationals are referred to the Republic, has created a backlog (and burden) of still-unaddressed complaints here.
In the EU and globally, many (including other EU national data protection commissions) have criticised the moderate penalties Ireland has issued and the slow pace of case-handling. (I’ve previously argued that EU cases involving companies above a certain size should instead be referred to a pan-EU data protection panel, given the vast resources of such companies to fight cases.)
On the plus side: protections, protections, protections. For example, it isn’t enough now for organisations to say they were slowly implementing needed security when a breach occurred. They have clear obligations to protect data, and to have sensitive data backed up and encrypted.
Everyone in Ireland will realise why this is critical, and why – no matter the argument for “convenience” – any project (like a single unique health identifier, or a public services card) that pulls together identifiable data easily linked to a person should satisfy numerous data protection concerns well before implementation.
Threat of litigation
As for the HSE following the cyberattack on its system, it likely has questions to answer, and may face the prospect of individual or class action litigation from those whose data has been exposed.
The threat of such litigation apparently worries organisations more than the law’s actual fines, according to a survey this week by UK security company Egress. Some 90 per cent of UK security and data protection officers said they feared personal litigation more than GDPR fines.
The biggest positive is that the GDPR, as the world’s strongest data protection legislation, has forced a higher standard of data protection worldwide. Many companies have had to offer a similar level of protections to all customers or service users, because people elsewhere rightly demanded better.
Many have been forced to reveal the scope of their data-slurping on websites and apps, increasing consumer ire and driving change.
Much is still unresolved. Alongside the ongoing questions about the GDPR’s functionality at complaint level are uncertainties over the future of EU-US data transfers that seem unlikely to be compliant under the Privacy Shield replacement for Safe Harbour. As we emerge slowly from the Covid pandemic, which slowed examination of these issues, expect the GDPR to be back in the headlines again.