The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Its aim is to allow the European Union (EU) catch up on two decades of technological evolution. However, its main focus remains two themes that have evolved both within the EU and the United States. These themes are enforcement and standardization of data protection.
This is a companion explanation alongside an analysis by WikiTribune’s Linh Nguyen
Member States (MS) of the EU are protective of their citizens’ data. Each member state is also a signatory to the 1953 European Convention on Human Rights (ECHR), Article 8 of which provides the right to respect for “private and family life,” as well as for correspondence. However, it was only when the European Commission determined that diverging data protection levels among member states prevent the free movement of data that the Data Protection Directive (DPD) was implemented, in October 1998.
The GDPR continues the trend of the Citizens’ Rights Directive (created in 2004) of creating rights for the entire “class” of citizens of EU Member States. Specifically, it seeks to give all EU residents the right to know and control the use, storage, transfer, and deletion of their personal data.
Stiff non-compliance penalties are included. According to Philip Marshall of The Economist’s Intelligence Unit, GDPR-level penalties would see a 90-fold increase if data security breaches were to remain at their 2015 level. The broader rights and sharper teeth of the GDPR compared to the DPD highlight the EU’s determination to guard data protection robustly.
The format of the GDPR supports this notion. An EU regulation is a perfect legislative act, meaning that it is “binding in its entirety and directly applicable to all Member States”. This is different from a directive that must be “implemented” into national law to be effective, per Article 288 of the 2007 Treaty on the Functioning of the European Union. For example, for the DPD to be effective in the UK, the British parliament had to enact the Data Protection Act 1998. The GDPR will take effect even without the Data Protection Bill currently progressing through the British parliament.
This difference matters: it shows that the EU is determined to exercise greater control over the implementation of the GDPR than it did over the DPD.
Balancing EU/U.S. privacy laws
Data is an extremely valuable resource in the 21st century, so much so that it has been called the “fuel of the future” (The Economist). Big businesses have come under scrutiny for lax protection of personal data. Theoretically, such practices will be hunted to extinction by the GDPR wherever they may occur. This is because any company that offers goods or services within the EU and European Economic Area (EEA), and deals with the personal data of an EU citizen, must comply with the provisions of the GDPR regardless of where they’re based.
This is particularly relevant for American businesses, which are normally said to enjoy the comparative laxity of American privacy law. Indeed, fears in the EU over U.S. firms’ handling of EU citizens’ data required a political fix. Developed between 1998 and 2000, the International Safe Harbor Privacy Principles set out guidelines to prevent US firms that store customer data from accidentally disclosing or losing personal information.
Partly, this difference comes from a cultural divergence. Unlike Article 8 of the ECHR, the U.S. Constitution does not enshrine a right to privacy. So the U.S. has no guiding principle on how to approach data privacy. Largely, misuse of data under American law is dealt with under elements of unfair and deceptive practice laws. There are specialized regimes for sensitive areas — children’s data is one example. A second is the regulation of the healthcare and finance markets that have sector-specific legislation.
The European Court of Justice in 2015 struck down Safe Harbor following revelations of U.S. mass surveillance of private firms’ data. Consequently, the EU-U.S. Privacy Shield was hashed out between the two sides. Self-certification for U.S. firms, with oversight from the U.S. Department of Commerce, was a compromise included in the Privacy Shield.
EU has been reluctant to accept that other jurisdictions guard private data
This is important because privacy laws vary among U.S. states. Instead of forcing all firms in all states to comply with EU data protection rules, self-certification allows those firms holding EU citizens’ data to adhere to EU standards without unduly burdening non-interest firms. At the same time, there is consistency at the federal level, which reassures the Europeans.
Data privacy laws differ in form. But enforcement also diverges between the two jurisdictions. In the U.S., class action lawsuits for breach of data privacy are sometimes successful. In the EU, they do not exist. Class action lawsuits have contributed to the fact that data breaches in the U.S. are yielding increasing payouts for those whose data is stolen. For example, in June 2017, Anthem, one of the largest providers of healthcare insurance in the United States (Forbes), agreed to pay a $115 million settlement as the result of a class action lawsuit filed after a 2015 cyberattack on the company. The payout has been called “the largest data breach settlement in history” (HealthcareITNews).
Two themes are clear. There is continuing reluctance by the EU to accept that other jurisdictions guard private data sufficiently well. In addition, the EU appears aware that, especially in comparison with the United States, it has to work on enforcement.
Heavier fines for noncompliance, universal reach
While the GDPR upgrades some data protection, the key to understanding the new regulation is how it addresses enforcement and standardization of global levels of data protection.
Upgrades include more protection for children’s data. Parental approval is required for persons under 16 who want to access information-society services. Broadly, these are online services provided to an individual, such as social media and online marketplaces. Secondly, a broader definition of personal data means the regulation has greater general relevance.
However, it’s the heavier fines that will have most impact. These signal a pivot toward the American approach, focusing as much on compensation as on the basic rights of those harmed. A new obligation on firms with more than 250 employees to recruit data protection officers to ensure GDPR compliance supports this narrative of enforcement. Like the U.S., it seems the EU wants to make sure that the regulatory bite is as dangerous as the bark suggests.
More tools for enforcement have little impact if they’re not used. The UK’s Information Commissioner’s Office (ICO) blogged that in the year 2016/2017, some 17,300 cases were concluded under the DPA, but only 16 resulted in fines. That’s a rate of 0.09 percent. Speculation on the low rate includes the belief that the IC’s Office is under-resourced, as Elizabeth Denham (current IC) said during an appearance before the House of Lords EU Home Affairs Sub-Committee.
Perhaps most importantly, the fact that the GDPR will be enforced regardless of where a company is based, as long as it is handling an EU citizens’ data, signals a serious intent to ensure that standards of data protection are raised worldwide.