A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (GDPR). Anyone who has read and digested the GDPR will appreciate the truth of these comments, but hyperbole should always be filtered through a process of calm and objective reflection to ascertain the reality of the situation. Otherwise, our cynical human nature is likely to dismiss all of that as baseless exaggerations and choose to largely ignore this development – at least until it becomes enforceable in more than two years from now.
That would be a mistake. A huge mistake. Whether we see the GDPR as a blessing or a threat – or something in between – it is not only wise but a necessity to pay attention to what this ambitious new framework is trying to achieve and has already delivered. The digital economy on which we all depend is at the core of what the GDPR is all about and therefore, this new regulatory framework is certain to affect everyone’s existence and that of our businesses. This effect will extend well beyond Europe. One of the most carefully thought-out aspects of the GDPR is its extraterritoriality. Out are the references to EU-based data processing equipment and in is the concept of “monitoring the behaviour” of EU residents by tracking their digital activities. This is as wide as it gets when it comes to the applicability of the GDPR given that pretty much every website and app in the world does that.
What is important to understand at the outset is the overall aim underpinning the GDPR: Putting people in control of their data. This is a theme that is present throughout the text and is emphasized by the pre-eminence of consent in relation to the use of data. But the standards for legally valid consent are now so high that consent will be increasingly disregarded as a justification for the use of data. That means that individuals’ control over their data will be mainly visible through their significantly reinforced rights. Transparency, erasure and portability are likely to emerge as crucial tools for individuals to use in the face of an ever growing hunger for our digital data. The legislators have worked hard to make these rights more meaningful than ever before, so a greater uptake than until now should be expected.
On top of this, the GDPR is loaded with requirements to make businesses more accountable for their data practices. This is the area where the heavy weight of the GDPR will be most felt in practice. New responsibilities like data protection by design, data protection by default, record keeping obligations, data protection impact assessments and prior consultation with data protection authorities in high-risk cases will require managerial effort and investment. Many of these obligations are entirely new, so for the majority of businesses this will involve a substantial learning curve. Knowing how much (or how little) effort will need to be devoted to getting this right will be a considerable task in itself.
Something that we know will continue to be a priority from a compliance perspective is legalizing data flows to non-EU jurisdictions. While one might find it difficult to believe that in a world of seamless connectivity and global communications there is a modern law which purposely erects geographical data barriers, this is a reality that seems aligned with Europe’s current geo-political needs. As a result, the simple truth is that any business that operates internationally – and who doesn’t? – or wishes to benefit from the technology offered by global service providers must find a practical way of overcoming the legal limitations affecting data transfers. At least the menu of options available is becoming broader so the excuses for non-compliance will become harder to justify.
One could of course take the view that since the world is not going to stop and the Internet is only becoming more and more pervasive in all corners of the world, it would be inconceivable for a regulator to enforce the restrictions on international data flows too harshly. Before giving that thought too much serious consideration, let me point out that since the recent decision invalidating Safe Harbor as a valid mechanism for compliance, there is a renewed focus on this issue. The fact that infringements regarding transfers of personal data out of the EU attract the maximum level of fines under the GDPR – up to 20 million euro or up to 4% of the total worldwide annual turnover, whichever is higher – should not be underestimated either.
All in all, there is one factor that will prove whether the GDPR is a true game changer. What will make a real difference is the number of directors sitting on boards of all sizes who, in some cases for the first time, pay attention to data protection. It is early days but my guess is that from now on, privacy will be a regular feature on the agenda of many boards. Including yours.
This article was first published in Data Protection Law & Policy in December 2015.