Not many people will remember this but in 2008, Richard Thomas, the former UK Information Commissioner caused a fairly dramatic stir in the privacy world – at least among policy makers and fellow regulators – by unashamedly proclaiming that European data protection law was outdated and ineffective to address the technological and privacy challenges of the 21st century. At first, this was regarded by some as an embarrassing admission that could not possibly be right. But only two years later, the European Commission started a process of wholesale legislative reform that culminated with the adoption of the EU General Data Protection Regulation (GDPR) in April 2016. We all know by now that the GDPR is the result of many political and regulatory compromises caused by the precarious balance created by the various forces at play – the unstoppable development of technology, the increasing value of data, the urgent need to protect people’s digital lives, and the prosperity of Europe and the rest of the work.
No one would claim that the GDPR is perfect, not least because we don’t live in a flawless world. But at a recent public debate organised by the Financial Times about whether the GDPR placed unnecessary burdens on businesses, a sizeable majority of 77% of the attendees voted that it did not. German MEP Jan Albrecht and I joined forces to argue from slightly perspectives why, despite its imperfections, the GDPR’s burdens were not disproportionate but justified and manageable. Our opponents made very credible arguments in the opposite direction, so it was somewhat surprising to see such an overwhelming level of support for the GDPR coming from businesses. How can it be that such an intricate and prescriptive piece of legislation has already been accepted so widely?
For starters, most international businesses welcome the level of harmonisation brought by the GDPR. Sure, the EU is not a homogeneous body by any means. Brexit aside, given its huge diversity of cultures, legal systems and societies it is almost a miracle that the EU operates with any degree of cohesion. But the fact that the core EU data protection rules that will be applicable in the future are set out in a Regulation – as opposed to a Directive – will provide much certainty to those operating across borders. So whilst there are some areas where Member States can and will exercise their discretion, one of the GDPR’s virtues will be to allow EU multinationals to follow a uniform set of rules no matter where they operate.
Linked to this is the new system of supervision and the ‘lead authority’ concept. Many would have preferred an even simpler system with one single regulator having exclusive competence over the use of personal data by the same organisation anywhere in the EU. But since the ‘One Stop Shop’ idea was not a realistic option in the ever so varied EU, we have ended up with the next best thing – cooperation and the consistency mechanism. If all of the national data protection authorities are able to trust each other – and there is no reason why they shouldn’t – it will be possible for multinational businesses to benefit from a much greater level of supervisory consistency than ever before.
By and large, the GDPR is also a victory for technological neutrality. Once again, it is impossible for such a complex and technologically driven law to avoid making references to some of today’s technologies, yet the GDPR fares pretty well when it comes to using generic language and concepts in that respect. No doubt, this will be tested in the years to come, but with a bit of common sense and interpretative help from courts and regulators, it should be possible to consistently apply the GDPR as technology evolves and new digital wonders emerge from our collective imagination.
But perhaps the most positive feature of the GDPR from a business perspective is the so-called ‘risk-based approach’. This means that whilst the rules are the same for everyone, their application will vary in practice depending on the level of risk that a given data activity presents for people’s privacy. In other words, many of the obligations in the GDPR do not work like an on / off switch, but more like a dimmer that allows for different degrees of intensity. This could be regarded as a weakness and a source of uncertainty, but in practice, the risk-based approach is what will make the GDPR not only effective but fair.
It is not difficult to be critical of the GDPR if one chooses to do so. Its complexity can be daunting and its effectiveness will be put to the test at every instance. Yet underneath its prescriptive text, there is a well-intended attempt to make it compatible with our digital future. Responsible businesses should not fear the GDPR but learn to work with it and see it as a way of future-proofing its data practices.
This article was first published in Data Protection Law & Policy in September 2016.