The GDPR came into effect on 25 May 2018, and reformed and replaced data protection law across Europe. Before the GDPR, data protection in the EU was governed by the 1995 Data Protection Directive, which required countries within the EU to pass national laws implementing provisions within the Directive. GDPR applies directly in all Members States and is supplemented by national legislation.
Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers. A key change is the introduction of fines of up to €20 million or up to 4% of global annual turnover, whichever is greater. This is a huge increase from previous fines (for example in the UK, the maximum possible fine under previous legislation was £500,000).
GDPR is extraterritorial in its scope, which means that there are circumstances in which GDPR can apply to companies around the world. Even where companies aren’t based in the EU, GDPR applies to all those offering goods and services to individuals in the EU (irrespective of whether the individuals have to pay) and/or monitoring the behaviour of individuals in the EU (this includes online tracking).
Companies that are operating both in and outside of the EU will have to adapt their practices, at least for all data processing that falls under the GDPR. This raises the question as to whether companies are going to raise standards across the bar or make a deliberate choice to implement a dual standard, where for example, individuals outside the EU are less protected. Many companies have yet to make their position clear.
What is the problem
The world is being rebuilt by companies and governments so that they can exploit data. Increasingly the spaces and environments we inhabit and pass through perpetually generate and collect data from human behaviour, without telling and asking us. Public debate normally focuses on personal data that people knowingly disclose. We urgently need to look beyond the data we provide knowingly to companies and government. Exploiting the hidden data ecosystem, made up of data companies, advertisers, social media companies, and more, companies and governments are relying less on data we provide and instead are looking at data they can observe, derive, and infer. Without urgent action, data will be used in ways that people cannot now even imagine, to define and manipulate their lives without transparency or accountability.
What is the solution
Data protection regulation such as GDPR is one piece of the larger puzzle to fight back against data exploitation. GDPR isn't a complete revolution, but rather builds upon the previous EU law, modernising and strengthening it.
An important aspect of GDPR in empowering individuals and fighting against data exploitation is strong rights for individuals. These rights must be facilitated in practice by those processing data and enforcement action taken where they are not. Here is a short summary of individuals rights under GDPR:
Individuals must be provided with information about who is using the data and for what purpose. The information must be concise, transparent, easily accessible, in clear and plain language, be comprehensive, and be given at the time the data is requested or obtained.
Individuals have the right to access their personal data on request (within 1 month) free of charge, no matter whether it is collected directly from them or obtained from a third party.
Individuals have the right to have personal data corrected if it is inaccurate or incomplete; they must be informed about third parties to whom the data has been disclosed; and third parties must be informed of the correction where possible.
Individuals have the right to request that personal data be deleted or removed where there is no compelling reason for its continued processing. This right is subject to a number of tests and exceptions, importantly freedom of expression.
Individuals have the right to ‘block’ or suppress processing of personal data in particular circumstances. Personal data can then be stored but not further processed until the issue is resolved.
Individuals have the right to obtain and reuse the personal data they’ve provided for their own purposes across different services. They can move, copy or transfer their personal data from one provider to another in a “commonly used and machine-readable format.”
Individuals have the right to object to processing, including profiling. This means that such processing must be stopped unless compelling grounds override the interests of the individual. There is an absolute right to object to processing for direct marketing purposes.
Individuals have the right not to be subject to decisions based on automated processing without any human intervention, if such a decision significantly affects them.
What PI is doing
On the day GDPR came into force, Privacy International launched a campaign to uncover the hidden data ecosystem, which is comprised of companies which profit from the exploitation of people’s data. We are currently investigating companies and data sources, and plan to use GDPR as a tool to uncover and fight against this hidden data ecosystem. Companies that maximize the amount of personal data they process and use it in ways that individuals would not expect are the antithesis of what data protection is about.
Privacy International played an important role in the shaping of GDPR, which was proposed by the EU Commission in 2012. PI, together, with other civil society actors, worked on GDPR from the beginning, seeking to protect it in the face of intense industry lobbying. In spite of the over 5,000 amendments tabled, and certain compromises, GDPR is an important step in the right direction to comprehensive protection of personal data and a tool and safeguard against data exploitation. PI will be vigilant to the implementation and enforcement of GDPR going forward and seek to hold to account those that fail to comply.