On 14 April 2016 the European Parliament formally adopted the new European General Data Protection Regulation (GDPR), marking the end of a long and complex legislative process that has lasted over 4 years.
The new Regulation is good news for consumers’ privacy. It shall increase transparency around the use of personal data online and effectively give consumers greater control over how, when, by whom and for what purposes their personal data is collected and used. The GDPR will replace the current European rules on data protection, which date from 1995. This new European law will establish a modern and unified legal framework to address the privacy challenges posed by the digital revolution. The regulation will be directly applicable in all EU countries in spring 2018.
Privacy challenges in the Digital Age
The digital revolution has brought a lot of benefits to consumers but it also poses significant challenges with regards to the protection of our fundamental rights to privacy and data protection.
The internet economy is largely built around the monetisation of consumers’ personal data, which is of great economic value. Personal data is being collected and misused by a wide array of different actors often without the consumers’ knowledge or consent. Every time we go on a website, we do not interact with only the owner of the website, but with many other companies and third parties at the same time: web publishers, advertising networks, companies selling data, etc. For example, a study published in November 2015 by the Norwegian Data Protection Authority found that, on average, 43 different companies have a presence on online newspapers and record what consumers do on these websites.
Even if consumers eventually become aware that they are ‘paying with their data’ for many online services and that their privacy is being undermined, there is not much they can do about it, as they have no real choice but to accept the trade-off. Terms and conditions and privacy policies of leading online services and mobile applications, which users must accept without asking questions if they want to access the services, are often very lengthy, obscure, vague and difficult to understand. And not only that, another recent study showed that some of the most popular mobile apps, such as social media, health and fitness, dating and messaging apps, constantly share users’ personal information with a myriad of unspecified third parties. They even use clauses that would be in breach consumer protection and privacy law.
All these concerns are only likely to grow as technology, Big Data and connected devices become predominant in our lives. Smart connected devices are ‘always-on’ sources of deeply personal information. The data that they generate is higher in accuracy, quantity and sensitivity than anything seen before and allows for the creation of excruciatingly detailed and personal consumer profiles. If left without restrictions, extensive personal data collection and advanced profiling techniques can easily lead to discriminatory practices – having potential negative ramifications in the future. Could you for example imagine that you are automatically denied a bank loan because the bank has had access to your online shopping history and your fitness tracker data, coming to the conclusion that your lifestyle and diet are not appropriate and make you highly likely to develop a particular health condition or disease? Or that you are forced to accept constant real-time monitoring of your driving behaviour and your location if you want to subscribe a car insurance and that, in addition, such information was shared with third parties beyond the insurance company for other commercial purposes?
Bearing all this in mind and given that the unrestricted access and use of personal data undermines consumers’ fundamental rights and freedoms and can also have negative economic effects on them, a robust legal framework for data protection was overdue, so that consumers can safely benefit from the Digital Economy and the Big Data revolution.
The EU General Data Protection Regulation
More than 4 years in the making, the newly adopted EU data protection regulation aims to put consumers back in control over the way their personal data is processed online.
This new regulation sets a modern legal framework to address privacy challenges in the Digital Age and is a positive development for consumers. Notably, it reinforces consumer rights when it comes to data processing, providing them with greater transparency and control over how their personal data is collected and used. New rights, such as the right to data portability, have been introduced in the regulation and existing rights, such as the right to object to the processing of personal data, have been strengthened. The regulation also increases the powers of Data Protection Authorities to make sure that all companies, big or small, comply with the rules. Additionally, it also increases the possibilities for consumer organisations to help defend consumers’ privacy.
So, what are the key elements of the GDPR?
- First of all, it is a regulation, which means the same rules will be directly applicable in all countries of the EU, thereby providing a uniform level of protection for all consumers across the Union.
- The regulation will apply to any company offering goods and services to consumers in the EU or monitoring consumers’ behaviour in the EU, regardless of the company’s nationality or whether it is established inside or outside of the EU.
- There are stricter rules on how to seek consumers’ consent for the processing of their personal data. In particular, requests for consent cannot be buried or hidden under the general terms and conditions of a service. They must be presented in a manner which is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language. Also, it is not possible to make a service conditional on the consumer giving consent to the processing of personal data that is not necessary for the performance of the service. And consent can be withdrawn at any time.
- Greater transparency around data processing. There are detailed rules on what information needs to be provided to consumers when their data is being processed. This includes information about who is processing the data, for what purposes, under which legal basis, what are the consumers’ rights, the existence of profiling practices and its possible consequences, etc.
- Improved consumer rights, giving consumers greater control over their personal data. The new regulation reinforces existing rights, such as the right to access the personal data that a company holds about you, the right to ask for the deletion of your personal data and the right to object to the processing of your data. It also includes new rights, notably the right to data portability, which shall allow consumers to, for example, easily take their personal data from one online social network to another.
- Improved consumer redress mechanisms. According to the new rules, consumers will have the right to compensation for material or immaterial damages when their rights have been breached. They will have the possibility to bring complaints before their local Data Protection Authorities and also to seek redress in Court. The regulation also creates new possibilities for consumer associations to act in defence of consumers’ privacy rights.
- More power for the national Data Protection Authorities (DPAs) to act against those companies that do not respect the data protection rules. The DPAs will be able to impose fines of up to 4% of a company's total worldwide annual turnover.
To conclude, the General Data Protection Regulation represents the opening of a new chapter for privacy protection in the EU. These new rules shall foster the development of privacy friendly technologies and help consumers to safely enjoy the individual and collective benefits of the digital revolution without compromising their fundamental rights.