On May 25th GDPR comes into force for Europe’s 500m citizens
The General Data Protection Regulation is a 99-chapter piece of legislation that returns to people control of their personal data
GDPR is a new EU regulation that updates and harmonises how data is gathered, processed, stored and used across the bloc
Viviane Reding. “Lobbyists and national governments tried to stop it. Today they agree it is an indispensable piece of legislation.” Photograph: Getty Images
Jan-Philipp Albrecht. He is complimentary of the role played by Ireland in getting GDPR over the line. photograph: Getty Images
You can thank Brussels if your in-box is soon less clogged than usual with spam. Above all you can thank Jan-Philipp Albrecht, a boyish Green Party MEP from Germany, and Viviane Reding, an ex-EU commissioner from Luxembourg with a passing resemblance to Sophia Loren.
On May 25th, after a staggering period of negotiation, gestation and labour, one of the EU’s most far-reaching – and timely – pieces of legislation comes into force for Europe’s 500 million citizens. All going well it will nudge us out of the digital middle ages and towards the Renaissance.
Of course, Brussels being Brussels, this ground-breaking law has been hidden behind an obscure name. The General Data Protection Regulation – GDPR to its friends and many enemies – is a 99-chapter whopper that returns to people control of a valuable asset of the modern age: their personal data.
In the right hands the digital information you generate – when you use your smartphone or a loyalty card – is a veritable gold mine. Though this is your information to give and yours to revoke, in the worldwide web Wild West nobody cared too much about legal niceties like that – until now.
Instead, digital equivalents of factory fish trawlers sailed around sucking up our data, processing and selling it for profit without our knowledge or explicit consent – and they made fortunes along the way.
From next week the tables are turned on “free” online services and even good old-fashioned spam: if someone wants to offer a service in exchange for data or send you commercial emails you have to opt-in.
That’s why you may have noticed – ironically enough – even more spam of late from companies, rushing to meet that May 25th deadline, asking for your permission. From blog owners to social media giants, the new rules affect everyone.
An army of advisers, including some chancers, have fanned out in recent months, anxious to make GDPR the most profitable cash cow/scare story since the millennium bug.
“It’s absurd the panic being created over GDPR compliance by people with only a vague idea of data protection [who are] charging big money for lectures,” said Albrecht.
Now just 35, Mr Albrecht will soon leave the European Parliament after almost a decade specialising in civil rights, data protection and democracy. He was appointed rapporteur or parliamentary point man for the new data protection rules, a Sisyphean task at the heart of the stylish documentary Democracy (available on Netflix).
As soon as the draft GDPR legislation was on the table in Brussels, it was buried under some 4,000 parliamentary amendments – from concerned MEPs and well-paid lobbyists with clients anxious to kill it off.
“We’ll never finish with it,” sighs a despairing Albrecht in the film in early 2013. But finish they did, aided along the way by revelations of the dangers of unchecked data dragnets by whistleblowers like Edward Snowden.
The other key player in Democracy is Reding, former EU commissioner for justice, fundamental rights and citizenship. Six years on, she remembers the reaction to her first legal draft of what became GDPR.
“Lobbyists and national governments tried to stop it,” she told the European Parliament recently. “Today they agree it is an indispensable piece of legislation.”
The US social media giant’s benevolent apathy towards European privacy norms has sparked a series of lawsuits in the EU. As early as next week, Facebook’s billionaire founder and chief executive Mark Zuckerberg has agreed to testify on the matter at what is likely to be an interesting – if, ironically, a behind closed doors – European parliament session.
Before the US congress Zuckerberg praised new EU data rules, and promised to extend similar safeguards to all Facebook users worldwide. Yet MEPs are likely to ask Zuckerberg about a subsequent U-turn in Facebook’s Dublin headquarters which reportedly stripped EU levels of legal protection from all but European users of the social network.
Albrecht says the move smacks of desperation, and is, paradoxically, a vote of confidence in GDPR.
“It shows they have a real fear of sanctions, but I can’t see it lasting long,” he said. “Eventually users outside Europe will want to know why Facebook – for legal, not technical reasons – is offering them lower data protection standards.”
Whatever happens outside the EU, GDPR is likely to bring a a “flood of lawsuits” for Facebook, according to a recent Deutsche Bank investor note. And, as in the recent past, Dublin’s concentration of tech giants means many legal battles to test Europe’s new privacy rules are likely to play out in the Irish courts.
Albrecht, as a key figure in the birth of the EU’s new privacy rules, is complimentary of the role played by Ireland in getting GDPR over the line – from Irish MEPs in Brussels to Dublin’s support during its 2013 EU presidency of the European Council.
“Ireland made a big effort then, all the more reason to prove now it can do much better in data protection,” said Albrecht, a none-too-subtle warning to Helen Dixon, Ireland’s data protection commissioner (DPC).
GDPR boosts Dixon’s already considerable responsibility for regulating big tech companies with EU headquarters based in Ireland: Google, Facebook, Twitter and many more. This week she warned these companies, via the New York Times, that they would “suffer consequences” if they flout the new regulation.
Even after recent boosts in resources, Dixon conceded her office “should be far more highly resourced”. The New York Times estimates that her budget is just one 40th that of Ireland’s financial services regulator.
None of her European data protection colleagues would begrudge her more money and staff. Indeed, many cannot wait for next Friday to assist her office’s work. This is possible thanks to a new GDPR provision which will allow citizens with privacy concerns about Facebook, for instance, to file a complaint in their home country and let their national regulator liaise with, and if necessary intervene in, the DPC’s investigation in Dublin.
It remains to be seen how this new co-operation works over a sensitive cultural norm like privacy, shaped by national historical experiences. Despite vastly different schools of thought across the continent, from liberal to stringent, EU officials are optimistic GDPR will develop a “European culture of protection of privacy”.
“I think within two years we will see where the spirit lies,” says Vera Jourová, successor to Reding in the EU justice commissioner role. She is confident the new rules have struck a healthy balance between citizens’ fundamental right to privacy and legitimate business interests to collect and process data without an excessive legal or financial burden.
Despite a long transition period, she concedes many small- and medium-sized businesses without large legal departments are still in the dark about what the new rules mean for them. There is a need for GDPR compliance from next Friday, she insists, but no need for panic.
“National data protection regulators don’t see their role as being sanctioning machines from day one. They are ready to consult and help in the first year when we expect the system to settle down.”
However, it’s clear she expects swifter and more robust rulings from national regulators in the wake of the Facebook/Cambridge Analytica scandal.
“We want to see action and corrective measures. [So] if there are breaches, companies must be the object of sanctioning,” she told journalists this week in Berlin.
Though anxious not to directly criticise the Irish data regulator, an independent Irish body beyond her remit, Jourová says GDPR will only work “if everyone does his or her task”.
Six years in the making, the new EU privacy laws that come into effect on Friday may provide an interesting epilogue to another major event that day: Ireland’s abortion referendum. Regardless of the squabbles over banning online referendum ads, Albrecht says anyone using personal data of dubious origin in the Irish campaign may face a rude – and expensive – awakening after polls close (see panel).
“Anyone processing data up to May 25th for the Irish referendum will come under the new privacy rules,” confirms the German MEP. “And I’m very interested to see how that turns out.”
What is the General Data Protection Regulation (GDPR)
– GDPR is a new EU regulation that updates and harmonises how data is gathered, processed, stored and used across the bloc.
– It gives citizens power to control what data is held by others on them.
– It requires everyone who collects data – companies, public bodies, clubs, medical practitioners and more – to obtain explicit user-consent for collecting and processing that data.
– Data collected must be accurate, up to date, be held for the minimum time necessary and safe from hackers.
– Citizens may withdraw consent for someone to hold both their personal data (name, phone number, location data) as well as sensitive data (ethnicity, sexuality, religion, medical conditions).
– With no minimum fines, entities in breach of GDPR could face a financial penalty as high as €20 million or 4 per cent of group turnover, whichever is higher.