In a recent post, I briefly introduced the European Union’s General Data Protection Regulation, or GDPR, and I promised to write some more on it. Some (Calder 2016, Fischmann 2018, Lomas 2018) have put the GDPR up as the gold standard in data protection, while others (Geuter 2018, Nielsen 2018) have questioned whether the promise of the GDPR is realistic.
Let’s have a closer look at the GDPR and some of the commentary around it.
The GDPR in a nutshell
The GDPR is based on the following six principles:
So far, that’s all pretty consistent with what we have here in Australia, via the Privacy Act 1988, its associated Australian Privacy Principles, and numerous other laws. Many other countries around the world have similar laws in place.
As you’ll have seen from the infographic above, Australia is already considered to have ‘heavy’ data protection laws, but then so is the US – the home of Facebook and Google, the companies at least one commentator (Geuter 2018) believes to be the target of the GDPR.
The GDPR goes further than our local laws in some respects; for example, the Privacy Act 1988 usually doesn’t apply to businesses with an annual turnover below AU$3M (unless they are a private health provider), but the GDPR applies to businesses, organisations and government departments of any size. The graphic below provides some case studies for Australia.
In addition to the broader scope of application, the fines for breaching the GDPR go way beyond anything we’ve got here: €20M or 4% of the previous year’s global turnover, whichever is the higher (GDPR, Article 83(5)).
The GDPR has also formalised ‘the right to be forgotten’, which gives individuals the right to have information about themselves removed in certain circumstances. Here’s an article that talks about why that might be a good idea, but might also be difficult to achieve.
So, what’s it all for?
Well, money, of course. The EU has recognised that:
The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. (GDPR Recital 13).
In other words, the EU wants to reassure citizens that their personal data is safe, so they’ll feel confident about conducting commercial transactions online and the economy and society will benefit.
The Australian government has used a similar argument in its introduction to the proposed Data Sharing and Release legislation, but that Act seems to focus more on the importance of making data more freely accessible than on concerns individuals might have about data security.
GDPR and ‘free movement of personal data’
When you think of data security, you may think about trying to keep data locked up tight, but as data security expert, Jürgen Geuter (2018), explains:
This is very important and often overlooked: GDPR is not supposed to make data stay where it was gathered. Its job is to guaratee (sic) a level of protection/regulation attached to data, no matter where it goes. Even if the data leaves the EU.
Why does data need to move between locations, anyway? Many companies store their data in offshore data centres run by third parties. Also, Russell Brandom, Senior Reporter at The Verge, explains that when you visit certain websites, data is sent off to dozens of different companies for analytics, logins, and advertising purposes. So data is moving all the time.
Researchers also need access to personal data for certain types of research. I’ve touched on that in this podcast, which also explains a few more areas of everyday life that the GDRP will affect:
Is the GDPR realistic?
The GDPR promises EU consumers far greater control over their personal data, but it does raise some questions, too.
Geuter (2018), who is a German (i.e. a direct beneficiary of the GDPR), a computer scientist, and a certified data protection officer for the GDPR , asks:
Why should the EU parliament be allowed to decide how to regulate companies or entities it’s not legitimized to? Why does the EU parliament assume that it is allowed to override every law in the world if it feels like it? … The problem of conflicting legislation colliding on the Internet is neither new nor easily handled. But those questions need to be solved and not by saying “because we say so”.
And indeed, how will the EU enforce the GDPR outside of Europe? Would this encroach on other nations’ sovereignty, as Geuter believes it does? Or is it past time that someone took the lead on finding a global solution to a global problem?
Nielsen (2018) highlights the EU’s hope that the very high standard of data protection the GDPR is expected to deliver for Europeans will inspire other countries to lift their data protection standards, but he also conveys concerns about the ability of some Latin American countries to comply with the GDPR, given that some of them currently have no data protection laws at all, and that they struggle with on-going economic and human rights issues. In that scenario, is it reasonable to expect compliance?
What’s the return?
The cost of implementing and maintaining compliance with the GDPR is substantial, but what’s the return? Will Europeans’ data really be safer than before the GDPR?
Professor Tal Zarsky, of the University of Haifa’s Faculty of Law, doesn’t believe so. Furthermore, he believes that the GDPR is incompatible with Big Data, something the Australian government is looking to expand the use of:
Such incompatibility is destined to render many of the GDPR’s provisions quickly irrelevant. Alternatively, the GDPR’s enactment could substantially alter the way Big Data analysis is conducted, transferring it to one that is suboptimal and inefficient. It will do so while stalling innovation in Europe and limiting utility to European citizens, while not necessarily providing such citizens with greater privacy protection (2017, p. 996).
So, it seems I’ve raised more questions than answers. I guess that’s to be expected when, as Calder (2016) says, such a large and game-changing piece of legislation is passed all in one hit, all over the world. It’ll be interesting to see how it all unfolds.
Images – blog post
regulation-3246979_1280, by TheDigitalArtist (CC0)
Infographics as per captions.
References – blog post
Calder, A 2016, EU GDPR: A Pocket Guide, IT Governance Publishing, EBSCOhost, viewed 17 August 2018.
Geuter, J 2018, ‘A critical reflection on #GDPR’, tante.cc, 3 April, retrieved 15 August 2018.
Lomas, N 2018, ‘WTF is GDPR?’, techcrunch.com, 21 January, retrieved 17 August 2018.
Nielsen, N 2018, GDPR – A global ‘gold standard’?, euobserver.com, retrieved 18 August 2018.
Zarsky, TZ 2017, ‘Incompatible: The GDPR in the Age of Big Data’, Seton Hall Law Review, No. 4, pp. 995-1020, Academic OneFile, EBSCOhost, viewed 15 August 2018.
Music – podcast
Allada by Kevin MacLeod (CC BY 3.0)
Image – podcast
‘Biometric Login’, photograph by author, 2018
References – podcast
‘Could GDPR scupper NHS plans for AI?’ 2018, British Journal Of Healthcare Computing, p. 1, Health Business Elite, EBSCOhost, viewed 29 July 2018.
Fehrenbach, A & Scott, V 2018, ‘GDPR : the final countdown : what it means for Australia’, Communications Law Bulletin, Vol. 37, No. 2, AGIS Plus Text, EBSCOhost, viewed 16 August 2018.
Katulic, T & Katulic, A 2018, ‘GDPR and the reuse of personal data in scientific research’, Proceedings of 2018 41St International Convention On Information And Communication Technology, Electronics And Microelectronics (MIPRO), Croatian Society MIPRO, Opatija, Croatia, pp. 1311-1316, IEEE Xplore Digital Library, EBSCOhost, viewed 16 August 2018.
Voight, P & von dem Bussche, A 2016, The EU General Data Protection Regulation (GDPR) – A Practical Guide, Springer International Publishing AG, Cham, Switzerland.
Vojkovic, G 2018, ‘Will the GDPR slow down development of smart cities?’, Proceedings of 2018 41St International Convention On Information And Communication Technology, Electronics And Microelectronics (MIPRO), Croatian Society MIPRO, Opatija, Croatia, pp. 1295-1297, IEEE Xplore Digital Library, EBSCOhost, viewed 16 August 2018.
Vojkovic, G & Milenkovic, M 2018, ‘GDPR in access control and time and attendance systems using biometric data’, Proceedings of 2018 41St International Convention On Information And Communication Technology, Electronics And Microelectronics (MIPRO), Croatian Society MIPRO, Opatija, Croatia, pp. 1138-1142, IEEE Xplore Digital Library, EBSCOhost, viewed 16 August 2018.
Zarsky, TZ 2017, ‘Incompatible: The GDPR in the Age of Big Data’, Seton Hall Law Review, No. 4, pp. 995-1020, Academic OneFile, EBSCOhost, viewed 15 August 2018.
Heather King 