Five years ago, one of the EU’s most globally influential and consequential pieces of legislation came into effect: the General Data Protection Regulation (GDPR). This groundbreaking law reshaped and fortified the data protection and privacy landscape overnight. So lax was existing international legislation in this area that many businesses and other organisations initially failed to take GDPR’s arrival seriously and prepare for compliance.
While it has its imperfections and exasperations, the GDPR has given EU citizens unprecedented, tangible safeguards and rights in an area where people, including children, are hazardously exposed and vulnerable – the collection, collation and use of their personal data. It doesn’t help that the everyday, innocuous processes by which we yield up our data, such as shopping online, posting to social media, or using almost any device with an embedded chip, from smartphones to TVs to cars, all harvest data easily and invisibly.
Pulled together into ever-expanding databases, such data reveals the minutiae of our lives in intimate detail. This is why the Court of Justice of the EU (CJEU) has repeatedly affirmed an individual’s right to an expectation of privacy and the obligations of data collectors.
This is a complex area requiring fine-tuned, proportionate balancing of data use and privacy protections. Still, as a slew of recent Irish-focused rulings from the CJEU and the Office of the Data Protection Regulator (DPC) have made clear, people need the GDPR’s protections. Businesses, the State and law enforcement all continue to use data in violation of the GDPR’s protections.
This week’s ¤1.2 billion fine against Meta by the DPC is a potent reminder that the GDPR has sharp enforcement teeth. It’s unfortunate that the DPC actually opposed using its significant fining power, and that the punishment ultimately came through the EU’s oversight body, the European Data Protection Board, where the consensus decision was to impose a fine. But that readjustment mechanism is another assurance that the GDPR generally works as it should.