We are now, at last, all living in a GDPR world. PublicTechnology asks what – if anything – that means, and looks back on the journey we took to get here
Credit: Dennis van der Heijden/CC BY 2.0
A quick scan of my personal inbox reveals that there were four on Monday, rising to a whopping 13 on Tuesday, before settling back down to nine on Wednesday, then building to a crescendo of 22 on Thursday.
To misquote TS Eliot: This is the way GDPR begins. Not with a bang, nor a whimper, but with an avalanche of emails.
Begin it has.
Six years after the legislation was first proposed, and two years after it was adopted into EU law, the General Data Protection Regulation now applies across all 28 member states. Starting today, regulators, including the UK’s Information Commissioner’s Office, have the power to police and enforce it.
- The ten key questions – and nine answers – facing the public sector on GDPR
- Nine in ten businesses and charities have done nothing to prepare for GDPR, government research finds
- Public sector ‘cannot rely on consent as a legal basis’ for GDPR compliance, warns ICO
Just in time for the 25 May go-live date – which has, for some time, been indelibly branded into the consciousness of millions of IT professionals, legal professionals, and journalists – the UK Data Protection Act 2018 this week obtained royal assent, thereby becoming law. It replaces the Data Protection Act 1998.
This all feels like it has been an awfully long time coming. But how did we get here?
The journey to GDPR
In November 2010, the European Commission first set out a new strategy for data protection. At this point, the applicable EU legislation was the 15-year-old Data Protection Directive, which had passed into law in 1995 and was, the commission believed, no longer fit for purpose in the internet age.
The aim of this initial strategy was to build policy in support of five key goals: strengthening the rights of individuals “so that the collection and use of personal data is limited to the minimum necessary”; reducing the burden on companies of administration, by implementing a single legal framework; bringing law-enforcement data under the remit of data-protection law; increasing the protection offered to data transferred outside the EU; and enabling “more effective enforcement of the rules” by regulators.
About 15 months later, these ambitions had calcified into a set of proposals for legislative reform. Measures proposed in early 2012 included the introduction of the now-familiar ‘right to be forgotten’, as well as the ability for national regulators to levy fines of up to €1m – a figure that has, as we all know, since risen markedly.
The commission also proposed that: “Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.”
The main thrust of the proposals concerned ensuring that each country in the EU had a single data-protection authority, with the requisite power to police and penalise.
By March 2014, the journey towards GDPR became “irreversible”, after the European Parliament voted strongly in favour of the proposed reforms.
To mark the occasion, the then European Commission vice president Viviane Reding said: “Europe’s directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens.”
The draft legislation was tussled over throughout the rest of 2014 and 2015, before finally being agreed upon in December 2015. GDPR was adopted into EU law in April 2016, with a final implementation date set two years in advance of that.
That date has now arrived.
What happens now?
The Data Protection Act 2018 effectively makes GDPR Brexit-proof, signing into UK law pretty much all the measures and provisions of the EU regulation – and introducing some additional ones, to boot.
In a blog post published immediately after the act was given royal assent, information commissioner Elizabeth Denham welcomed both the DPA and the GDPR. The two new pieces of legislation will “make our country one of the world’s most progressive data-protection regimes”, she said.
“The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media, and big data,” the commissioner said. “The new act updates data-protection laws in the UK, and sits alongside the GDPR… [it] implements the EU Law Enforcement Directive, as well as extending domestic data-protection laws to areas which are not covered by the GDPR.”
Denham added: “The UK’s growing digital economy relies on consumer trust to make it work. The act, along with the GDPR, provides a modernised, comprehensive package to protect people’s personal data in order to build that trust.”
However, a number of companies from outside the EU do not trust themselves to comply with the new law in their dealings with European customers.
As of this week, Instapaper, a Pinterest-owned bookmarking service which allows users to save online content to be read later on another device, is currently blocking EU users until it has made the changes it feels are necessary to ensure GDPR compliance.
Payver, a US-based app that rewards users for supplying footage filmed by dashboard cameras, has discontinued its service in Europe entirely. Several online gaming services have also restricted access to European users.
The impact on this side of the pond ought to be less drastic. Quite apart from the two years that companies and public-sector organisations have had to prepare, even before any of them had heard of ‘GDPR’ they would all have been accustomed to complying with stricter privacy and data-protection laws then their counterparts in the US.
The rub now is how the legislation is policed, and enforced.
“The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media, and big data”
Information commissioner Elizabeth Denham
We do not yet know what an effective data-protection impact assessment looks like, because no-one has yet been scolded for undertaking a bad one.
We do not yet know whether anyone will be punished by the ICO with anything like the maximum fines of €20m or 4% of global turnover. Nor do we know how badly you would have to protect people’s data to merit such a punishment.
We do not yet know how thoroughly we will be forgotten, should we wish to be so.
Nor do we know how the law will apply to the new categories of data that are being created all time, in emerging-technology areas such as biometrics.
Given that a law is not really a law at all until it is unshackled from the statute books and let loose in the real world, we do not, really, yet know what GDPR is.
But, any day now, we are about to find out.