Expert Speak Digital Frontiers
Published on Nov 04, 2019
Power to whom? Privacy in a post-GDPR world

In May 2018, the EU General Data Protection Regulation (GDPR) came into effect, the biggest reform of EU data protection law in over 20 years. While the GDPR introduced a number of important changes, it embodies the same core principles that have undergirded data protection law from the beginning. At the same time, due to its broad material and territorial scope as well as high potential fines for non-compliance, among others, the GDPR attracted an unprecedented amount of lobbying and media attention, turning a subject matter once considered niche into an unlikely battleground for political and economic influence.

Those battles are far from settled. The lack of clarity surrounding the correct implementation of the law has left a power void that existing and emerging actors in the data protection landscape are eager to fill, and not only in Europe. This essay will outline the key actors involved in making and shaping the GDPR; the principles, rules, and norms they are advancing; and what implications different implementations of the law might have on who sets the standards, both legal and technical, on how personal data is processed in the European Union and beyond.

Background

Originally proposed by the European Commission on January 25, 2012, the GDPR was intended to allow EU data protection law to meet the challenges of the digital present. While the GDPR introduced a number of important changes, for instance, stronger individual rights and higher compliance obligations, it significantly builds upon the 1995 EU Data Protection Directive (DPD) that preceded it. It embodies the same core principles that have undergirded international data protection law from the beginning, e.g., data minimisation, purpose limitation, transparency, accountability, and a measure of control for individuals over the personal data that is being processed about them.<1> What is new about the law, however, is the context in which it came into being. While concerns about the increase in government power due to computerised record-keeping abilities were already being voiced on both sides of the Atlantic as early as the 1970s, it is the increasing trade in personal data in the private sector that originally spurred the European reforms. In line with the self-conception of the EU as both an economic union and a community of shared values, the GDPR thus pursued the dual goal of strengthening the digital market while enhancing individual rights in an increasingly interconnected world.<2>

This latter goal was advanced with even greater urgency in the aftermath of the Snowden revelations, which suggested that US intelligence agencies appropriated the personal data amassed by a small number of Silicon Valley behemoths for their own purposes.<3> Of particular concern to EU legislators and the European public alike was the fact that private companies generally did not process this data in the jurisdiction in which it was collected, and could hence potentially circumvent regional data protection frameworks such as that of the DPD, which was then still the main governing instrument for data protection across the EU. One of the central goals of the GDPR was thus to devise a legal mechanism by which jurisdiction would not be defined in terms of the location of the organisation processing personal data, but in terms of the location of the person whose data is being processed.<4> In addition, it aimed to institutionalise penalties for violations of the law that would be severe enough to be, at the same time, effective and dissuasive.<5> It ultimately settled on a framework that would allow regulators to impose, in certain cases, fines amounting to up to 20 000 000 euros (alsmost US$23 million) or 4% of the global annual turnover, whichever is higher.

Following more than four years of intense negotiations, the GDPR was formally adopted in April 2016, providing those organisations subject to it with a transition period of just over two years to review their processing operations for compliance before the law would apply in practice. However, as demonstrated by the flurry of emails right before the May 25, 2018 deadline<6> on one hand, and a seemingly never-ending string of GDPR “curiosities”<7> on the other, there is ongoing confusion about what the law requires in practice.

Key actors

European Commission

The European Commission that proposed the overhaul of the EU data protection framework was operating in the historical context of the coming into effect of the Treaty of Lisbon, which elevated the Charter of Fundamental Rights of the EU (CFREU) to primary law, and thus also formally transformed the economic union into one of shared values and fundamental rights.<8> The CFREU explicitly recognises a right to the respect of private and family life (Art. 7) and a right to the protection of personal data (Art. 8), and thus provided both the basis and impetus for updating the EU data protection framework.<9> In recognition of this development, José Manuel Barroso, second-time President of the European Commission at the time, entrusted Vice President of the Commission Viviane Reding with a separate Directorate-Generate for Justice, responsible, among others, for EU fundamental and consumer rights. Reding quickly distinguished herself as a strong advocate of fundamental rights and made the reform of EU data protection law a flagship project of her portfolio. According to the Commission, the preexisting legal framework, the DPD, was lacking in several regards: it was ill-suited to meaningfully protect the personal data of EU data subjects and also did not sufficiently harmonise data protection across EU Member States such that the compliance burden upon businesses would be meaningfully alleviated.<10> Reding also criticised the lack of uniform enforcement.<11> In transforming the EU data protection framework, Reding set herself seven goals: (1) a uniform legal framework through a regulation; (2) clear competence of one’s single data protection authority; (3) uniform high level of data protection; (4) consideration of the particularities of police and justice within the legal framework;<12> (5) special attention to small and mid-sized companies; (6) balanced consideration of all basic rights; and (7) openness of the new legal framework for future technological and economic developments.<13>

Member States

Since, as a regulation, the GDPR superseded much of the preexisting national data protection legislation in Europe, individual EU Member States had an elevated interest in ensuring that the content of the regulation was compatible with their national legal and cultural traditions. In some cases, they had an interest in maintaining what they perceived as stronger overall national law;<14> in other cases, there was a concern about the competitive advantage resulting from a comparatively more lenient approach to data protection law in other EU Member States.<15> To the surprise of many observers, Germany, which likes to describe itself as the “motherland of data protection,”<16> was initially “remarkably ambivalent” about the proposed legislative changes.<17> This reluctance was partly due to the fact that the GDPR did not generally distinguish between the regulation of public sector and private sector organisations, which made sense from a European perspective, since the dividing lines between public and private vary from one Member State to the next. There was also some consternation due to a long tradition of regulating these based on sectoral legal frameworks, which would and were, for the most part, superseded by the GDPR.<18> But resistance also came from individual German states, which equally have their own data protection frameworks and were thus facing the threat of being subsumed under the regulation. The German position ultimately became politically untenable, particularly given the broad public support for a European solution following the Snowden revelations. But the GDPR still left significant room for national solutions to particular data protection questions based on the substantial number of opening clauses that allow individual EU Member States to particularise the law in certain areas.

While no revolution, the GDPR is still unprecedented in its attempt to create a harmonised data protection framework able to meet the technological challenges of the modern age. But the GDPR is only the beginning.

Private sector

The private sector is far from homogenous, so the GDPR naturally had different implications for different actors in this space. Large multinational companies with customers in multiple jurisdictions in general, and American software companies whose business model depends on the monetisation of personal data in particular, may have felt that the law was directed at them in particular, and hence invested significant amounts of resources in order to comply. They generally had an interest in less onerous legislation, on one hand, but also in greater harmonisation of and legal clarity across the EU data protection landscape on the other. This particular sub-segment of the private sector thus paid close attention to, and also tried to actively influence, the development of the law. Indeed, presumably because of its sweeping scope and potential high fines for non-compliance, the GDPR was subject to an unprecedented amount of lobbying, resulting in no less than 3,999 amendments to the original Commission proposal.<19> But because some of the compliance requirements under the GDPR are so resource-intensive, and because the law, apart from its risk-based approach, makes no distinction between different controllers based on size, some commentators also argued that the GDPR disproportionately disadvantaged smaller companies that could not afford to spend as much time and manpower on the law as their larger competitors.<20> Initial assessments of the implementation of the law demonstrate that these concerns are not entirely unfounded.<21>

Civil society

Civil society, as represented by the European Parliament but also advocacy organisations, generally embraced the reforms, particularly in the aftermath of the Snowden revelations, which catapulted privacy into the spotlight of legislative attention.<22> But to some observers the reforms were not far-reaching enough.<23> One area of criticism was the issue of whether consent would need to be “explicit,” as requested by the European Commission and Parliament, or the somewhat less onerous “unambiguous,” as requested by the Council.<24> Ultimately, explicit consent was only required for the processing of special categories of data.<25>

Another area of contention was the separation of the area of law enforcement from the general regulation, as some observers felt the instrument of a directive was not strong enough.<26> From a different point of view, the GDPR, however, also harboured certain civil liberties risks, as it was unclear, for instance, how conflicts between data protection and freedom of speech would effectively be resolved, among others.<27>

European Court of Justice

These conflicts will ultimately need to be resolved in court, and more specifically by the European Court of Justice (ECJ). The ECJ assumed particular prominence in the field of data privacy through highly mediatised cases. The list includes Google Spain,<28> which established the so-called “right to be forgotten,” on one hand, as well as the Schrems case,<29> which declared the Safe Harbor Agreement invalid, on the other hand. Both cases have far-reaching implications. In Google Spain, the ECJ ruled that data subjects have the right to ask search engines to delist information associated with name searches, if that information appears to be inadequate, irrelevant, no longer relevant, or excessive in relation to the processing purpose.<30> However, the Google Spain ruling raised several important questions. First, who should get to decide what information gets delisted based on these criteria? Should a private sector company with a market share of over 90% in Europe be the forced to assume the position of sole arbitrator of what information is easily accessible online?<31> Second, how far does the reach of the ECJ’s ruling extend? Should the ruling apply to European domains only or, in order to make the “right to be forgotten” meaningful, do search results need to be delisted worldwide? The French data protection authority argued precisely the latter in a case that is currently still pending.<32> Were the ECJ to rule affirmatively, it would pit the European approach, which is focused on dignity, directly against the American approach, focused on liberty, among others. Similarly, the Safe Harbor Agreement had provided the legal basis for data transfers between the European Union and the United States until Maximilian Schrems, an Austrian student at the time, complained that data protection standards in the US could no longer be considered “adequate” in light of the Snowden revelations. The Safe Harbor Agreement has since been replaced by the so-called Privacy Shield, but legal uncertainty as to the long-term viability of the latter remains. The economic impact of a disruption to transatlantic data flows would, of course, be substantial.

Implications

The ripple effects of the GDPR could certainly be felt in all corners of the world, making headlines from New York<33> to New Delhi.<34> But did the law achieve the goals it set out for itself? What implications will it have on who sets the standards, both legal and technical, on how personal data is processed going forward?

A harmonised legal framework?

As mentioned above, one of the most important goals of the GDPR was to create a harmonised data protection framework across Europe that would achieve the dual goal of protecting personal data while at the same time enabling the free flow of such data.<35> But while the instrument of a regulation might achieve that goal in theory, there are a number of reasons why the GDPR fell short of meeting it in practice. First and foremost, the GDPR was intended to be technologically neutral, which means both that it can easily be adapted to an evolving technological landscape, and that it does not provide concrete guidance for how it should be applied in specific processing contexts. While the GDPR does encourage the development of industry standards, these will likely take several years to develop, thus yet again leaving ample room for interpretation in the meantime. There is already evidence that the GDPR has spurred a dubious market for GDPR “experts” and “solutions,”<36> likely leading to further confusion and fragmented approaches to implementation on the ground.<37>

Beyond the general nature of the law, the about 70 opening clauses mentioned above also undermine the goal of harmonisation and thus in many cases require organisations subject to the GDPR to continue consulting national data protection legislation regardless. Thus, while the Commission emerges as the public watchdog of EU data protection law, individual Member States are at least theoretically able to continue to wield significant influence in practice.<38>

A boon to competition?

Advocates of the GDPR, at both the level of European institutions and civil liberties communities on the ground, often portrayed the law as a way to reign in large American technology companies. But, as mentioned above, the evidence is mixed at best. Unlike Silicon Valley giants, small and medium-sized companies will hardly be able to dedicate “hundreds of years of human time”<39> to GDPR compliance. Furthermore, increasingly insecure consumers may choose to remain with established players, thus further raising the barrier of entry for newcomers on the market.<40>

Strengthening the right to data protection in the EU?

The GDPR has certainly elevated the public face of data protection, making it an issue of concern from compliance to the C-suite. Due to the higher potential fines for non-compliance, data protection in Europe now has teeth and, as initial enforcement actions have demonstrated, data protection authorities (DPAs) are not afraid to bite.<41> That said, many DPAs are chronically underfunded<42> and ill-equipped to address the overwhelming number<43> of complaints, data breach notifications, and requests for information received in the aftermath of the coming into effect of the law. There is also the additional complication that the GDPR now requires DPAs to be consistent. This makes sense, of course, at least in theory, considering that the goal of the GDPR was to harmonise the European data protection landscape. But it leads to complications in practice, particularly in the far from unusual case where a data subject issues a complaint about a controller based in another EU Member State. According to the principle of the “One-Stop-Shop,” the DPA ultimately responsible for processing the complaint (“lead supervisory authority”) would be the one in the country where the controller has its main establishment.<44> However, any other DPA responsible for a significant number of data subjects affected by the complaint (“supervisory authorities concerned”) has the right to object to any decision taken by the lead DPA, in which case the consistency mechanism<45> would be triggered and all DPAs would jointly have to come to an agreement. This has the potential to become particularly complicated considering that countries such as Germany not only have one national but also more than a dozen fiercely independent regional and sectoral DPAs.

Impact of the GDPR beyond the EU?

Beyond Europe, numerous jurisdictions are now proposing laws that seem at least partly inspired by the GDPR, such as the California Consumer Privacy Act (CCPA),<46> but also legislation being passed or at least debated in rising powers such as Brazil,<47> India,<48> and China.<49> It is important to note that these laws, of course, may still significantly differ from the GDPR in both intent and practice, closely reflecting the particular legal traditions and economic priorities in each case. For instance, the applicability of the CCPA is limited to for-profit entities only and its scope excludes certain personally identifiable information, such as medical data and information processed by credit reporting agencies, to align the law with the historically sectoral approach to data protection in the United States.<50> Similarly, even though the Chinese Personal Information Security Specification was closely modelled after the GDPR, it is at the same time less stringent in important matters such as consent. Its drafters were keen to balance privacy with innovation, as the development of artificial intelligence technologies in particular is of increasing importance in China not only from an economic but also political perspective.<51>

All this goes to show that the GDPR may have provided the impetus to review national data protection laws in some cases, but that the shape and content of those laws will continue to differ greatly from one context to another. And it will be the extent and nature of those variations that will determine how frictionless the free flow of data will become at the international level going forward, and the extent to which both the economic and fundamental rights goals behind overhauling the European data protection framework can be met in practice. One potentially counterintuitive consequence of the GDPR, for instance, is that it arguably paves the way for greater data localisation<52> or data sovereignty.<53> A common response to the Snowden revelations in Europe was that European data should be processed according to European standards. But this effectively enabled other players, such as China, India, and Russia, to equally demand that data emanating from their jurisdictions be processed according to their respective national standards. The risk of an increasingly fragmented Internet looms large.

Looking ahead

While no revolution, the GDPR is still unprecedented in its attempt to create a harmonised data protection framework able to meet the technological challenges of the modern age. But the GDPR is only the beginning. At the European level, it will be important now to see how the law will be implemented in practice and what opinions are issued by data protection authorities and the courts as the first enforcement actions make their way to the ECJ in Luxembourg. Attention-grabbing misinterpretations of the law risk undermining underlying legitimate aims. At the international level, the GDPR is also only one among a number of competing approaches, and it remains to be seen how alternative actors, such as the United States and China, will try to shape the development of international data protection standards in the future. Agreeing on a reasonably unified data protection framework was not easy in the EU already. But hopefully the GDPR will serve as one of the first stepping stones on the path toward a continuous evolution of international data protection standards that meaningfully protect citizens and consumers from government and private sector intrusions, while at the same time providing a level of freedom and harmonisation that enable both individuals and businesses to reap the full benefits of the digital future –– not only in Europe, but also beyond.


This essay originally appeared in The Raisina Files


Endnotes

<1> See, e.g., the 1970 Data Protection Law of the German state of Hesse, the first of its kind; the 1973 HEW Report on Records, Computers, and the Rights of Citizens, articulating the Fair Information Practice Principles (FIPPs) in the United States; the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and the 1981 Council of Europe Treaty 108, delineating core data protection values for the international community.

<2> European Commission, “Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century”, January 25, 2012.

<3> Glenn Greenwald and Ewen MacAskill, “NSA Prism Taps Into User Data of Apple, Google and Others”, Guardian, June 7, 2013.

<4> This is also strongly supported by the European public, see Special Eurobarometer 431, “Data Protection”, European Commission, June 2015, at 44.

<5> Art. 83 GDPR, General Conditions for Imposing Administrative Fines.

<6> Martin Belam, “Businesses Resort to Desperate Emailing as GDPR Deadline Looms”, Guardian, May 24, 2018.

<7> See, e.g. #XFilesGDPR hashtag on Twitter, which allows German scholars to comment on and resolve dubious GDPR interpretations.

<8> Eugen Ehmann and Martin Selmayr, Datenschutz-Grundverordnung, Second Edition (Beck, 2018): 107.

<9> Ibid, 110. See also Viviane Reding, “SiebenBausteine der europäischenDatenschutzreform,” ZD, 2012.

<10> European Commission, “Impact Assessment”, January 25, 2012.

<11> Viviane Reding, “Die neue EU-Datenschutzverordnung – Eine Chance füreffektivenDatenschutz in Europa”, European Commission, March 21, 2012.

<12> The reference to the particularities in the sector of police and justice refer to the fact that the area of law enforcement traditionally falls within the sovereign jurisdiction of each EU member state and is thus a subject matter arguably ill-suited for the all-encompassing instrument of a regulation. The resulting data protection framework thus also distinguished between the GDPR and the EU Data Protection Directive for Police and Criminal Justice, the applicability of which was limited to organisations processing personal data for law enforcement purposes.

<13> Seeverbatim Reding, ZD, 2012.

<14> See, for instance, the highly critical (and widely criticised) public commentary by Johannes Masing, judge on the German Federal Constitutional Court, in SüddeutscheZeitung, “EinAbschied von den Grundrechten,” January 9, 2013.

<15> The fact that many major American technology companies decided to establish their headquarters in Dublin is sometimes viewed as a result of the generally more cooperative approach of the Irish DPA. See e.g., Adam Satariano, “New Privacy Rules Could Make This Woman One of Tech’s Most Important Regulators”, TheNew York Times, May 16, 2018.

<16> Not entirely without reason, considering that the German state of Hesse implemented the first data protection law worldwide. See Hans-Jürgen Papier, “Von der VolkszählungzurSpeicherung von Verbindungsdaten – 25 JahreinformationelleSelbstbestimmung”.

<17> See note 8, 116, as well as Martin Selmayr, “Nach PRISM: Endetjetzt die Ambivalenz der deutschen Position zum EU-Datenschutz?” ZD, 2013.

<18> See note 8. 117.

<19> George Christou, “European Privacy and Data Protection Policy,” in The Routledge Handbook of European Public Policy, edited by Nikolaos Zahariadis and Lauri Buonnanno (Routledge, 2017): 185.

<20> See Wakabayashi and Satariano, “How Facebook and Google Could Benefit from the G.D.P.R., Europe’s New Privacy Law”, New York Times, April 23, 2018.

<21> Björn Greif, “Study: Google is the Biggest Beneficiary of the GDPR”, Cliqz, October 10, 2018.

<22>Prism: A Wake-up Call for Data Protection”, European Parliament, June 20, 2013.

<23> See, e.g., the comments by Joe McNamee, Executive Director of the civil liberties group European Digital Rights (EDRi), describing the GDPR as “less clear and less protective of personal data than it could – and should – have been.” “Data Protection Package Concluded – 1420 Days After Being Launched”, EDRi, December 16, 2015.

<24> See note 19, 185.

<25> Art. 9 GDPR, Processing of special categories of personal data.

<26> See note 8, 115-116.

<27> See note 19, 185-186.

<28> Google Spain v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12 (2014).

<29> Schrems v. Data Protection Commissioner, Case C-362/14 (2015).

<30> Google Spain, Rec. 93-94.

<31> For an in-depth analysis, see Julia Powles, “The Case That Won’t Be Forgotten,” Loyola University Chicago Law Journal 47 (2015): 583-615.

<32> See David Meyer, “The ‘Right to Be Forgotten,’ Globally? How Google Is Fighting to Limit the Scope of Europe’s Privacy Law”, Fortune, September 10, 2018.

<33> See, e.g., Adam Satariano, “G.D.P.R., a New Privacy Law, Makes Europe World’s Leading Tech Watchdog”, New York Times, May 24, 2018.

<34> See, e.g., Amba Kak, “As Europe’s Data Protection Law Kicks In, Where Does India Stand”, TheTimes of India, May 25, 2018.

<35> As noted in the title of the law itself, though the second half is commonly neglected.

<36>Business Booms for Privacy Experts as Landmark Data Law Looms”, Reuters, January 22, 2018.

<37> See, e.g., Peter Münch, “Wien wirddochnichtzurHauptstadt der Namenlosen”, SüddeutscheZeitung, November 28, 2018, on the confusion about whether landlords would still be able to put nameplates on doorbells in Vienna, as well as dpa, “Mit DSGVO überfordert: RadiosenderrettetWunschzettel-Aktion in Bayern”, Heise, November 22, 2018, on concerns about whether a town in Bavaria could still allow children to hang wish lists on public Christmas trees under the GDPR.

<38> Note that Member States do not have to make use of opening clauses.

<39> Ashley Rodriguez, “Google Says it Spent ‘Hundreds of Years of Human Time’ Complying with Europe’s Privacy Rules”, Quartz, September 26, 2018.

<40> See note 20.

<41> See Wiebke Kummer, “Portuguese Data Protection Authority Imposes 400,000 EUR Fine on Hospital”, DatenschutzNotizen, October 24, 2018.

<42> Douglas Busvine, Julia Fioretti, and Mathieu Rosemain, “European Regulators: We’re Not Ready for New Privacy Law”, Reuters, May 8, 2018.

<43> William RM Long and Jasmine Agyekum, “EU DPAs Receive Thousands of Complaints Under the GDPR”, Lexology, November 13, 2018.

<44> See Art. 56 GDPR, Competence of the lead supervisory authority.

<45> See Art. 63 GDPR, Consistency mechanism.

<46>CCPA, Face to Face with the GDPR: An In Depth Comparative Analysis”, Future of Privacy Forum, November 28, 2018.

<47> Melanie Ramey, “Brazil’s New General Data Privacy Law Follows GDPR Provisions”, Inside Privacy, August 20, 2018.

<48> Nilesh Christopher, “The India Draft Bill on Data Protection Draws Inspiration from GDPR, But Has Its Limits”, Economic Times, July 28, 2018.

<49> Samm Sacks, “China’s Emerging Data Privacy System and GDPR”, CSIS, March 9, 2018. For an expansive comparison of how different privacy laws around the world compare to the GDPR, see the International Association of Privacy Professionals (IAPP’s) “General Data Protection Regulation Matchup Series".

<50> See note 46.

<51> See note 49.

<52> See Sam Pfeifle, “Is the GDPR a Data Localization Law?” IAPP, September 29, 2017.

<53> See Danny Crichton, “GDPR, China and Data Sovereignty are Ultimately Wins for Amazon and Google”, Tech Crunch, May 29, 2018.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

Contributor

Paula Kift

Paula Kift

Paula Kift is a privacy and civil liberties engineer at Palantir Technologies which shejoined upon graduating with a masters degree in media culture and communicationfrom ...

Read More +