The General Data Protection Regulation: From Promises to Reality

The re-posting of this comment is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.

In December 2012, the Commission put forward its proposal for a General Data Protection Regulation (“GDPR”). According to the Commission’s own words, “The Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”

After almost four years, at the end of the so-called trialogue, the Commission, the Council and the EU Parliament have reached agreement on a proposed text, which needs the final vote of the Parliament and the agreement of both the Council and the Commission. It is likely, indeed it is expected, that by the end of February the Regulation will have been finally approved. The purpose of this comment is not to analyze the text and the wording of the GDPR; I will rather concentrate my analysis on two points:

1. When the Regulation was first presented on 25 January 2012, the premise, indeed the very basis to move from the Directive to the GDPR was (and still is) to have only one law applicable in all of the EU: is it really the case? Will Europe finally have a uniform law, applicable across all 27 Member States?

2. Technology is moving ahead at a pace never experienced before. In addition, the widespread use of mobile devices has created a whole new market of products; finally, robots are coming in our world very strongly (and in some areas they have been used for decades already). Is the GDPR what we need to tackle the issues raised by new, ever-changing technology?

 

1. One single law.

According to the words of Commissioner Viviane Reding, when the GDPR shall be effective we shall have a single privacy law in all 27 countries. According to the words used by the Commission in January 2012, the GDPR would have delivered ”a single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year”[1].  Four years later, more or less the same triumphant words have been used in the press release issued at the time the European Institutions reached agreement: “a single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year”[2].

The truth of the matter is quite different. Section 88 of the GDPR repeals Directive 95/46/EC, but not Directive 2002/58/EC, the so-called ePrivacy directive (amended with Directive 2009/136/EC), better known to most practitioners as the “Cookies Directive”. The fact that there would not be a uniform regime was well known to everyone under the sun (including the Commission, one hopes). Indeed, the Commission itself, one and half year after pounding the drums of a uniform legislative scenario, issued a request for proposal under which the chosen contractor was required to evaluate (among other things) the potential problems deriving from having  two different legal instruments[3] in force at the same time. One and a half year after stating “one Europe, one law”, the Commission itself was looking for someone to tell them what would be the potential consequence of a dual-system legal environment. Hard to believe, but the highest authority in Europe did not know itself what it would be the consequences of its own acts, and asked someone else to assess them!  There are two possible scenarios to justify this mess: under the first scenario, someone within the Commission made a gross mistake: he/she did not know of the existence of Directive 2002/58/EC. The second scenario is that the future co-existence of the GDPR with the ePrivacy Directive was well known (one would be very hard pressed to believe that the Commission ignored it), but if this is the case the words of Ms. Reding sound very odd indeed.

So much for what happened in 2012. But if it is hard to believe that at that time Ms. Reding may have been misled by some functionary, it is just as difficult to accept the same statement and the same words being used today[4]. To top this mess off, when one reads the entire press release, it states that the Junker Commission has delivered a comprehensive Data Protection reform, which included the GDPR as well as the new Data Protection Directive for the police and criminal justice sector. “The Directive for the police and criminal justice sector protects citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism”[5].

Which means that European shall cope with three legal instruments on the same subject: one Regulation and two Directives. So long to the “single law” approach.

Now, some may say that the two Directives have a different scope as compared to the Regulation; nevertheless, the reality shall be that Europe shall continue to have different rules on different aspects of Data Protection in each Member State.

But on this topic there is more to be said, much more.

The real problem lies in the following fact. Since the implementation of Directive 95/46/EC, each the Data Protection Authoritiy (“DPAs”) of the Member States has approved specific regulation on several items. Just to stay with Italy, the Italian DPA has issued regulations on matters like video-surveillance, fidelity cards, system administrators, clinical trials, mobile payments, etc. The list could go on for a couple of pages. The same has happened in other countries. Now, all this secondary legislation is not going to be impacted by the GDPR. In fact, Whereas n. 8 states the following:

This regulation does not exclude Member States law that defines the circumstances of specific processing situations, including determining more precisely the conditions under which processing of personal data is lawful”.

And Whereas n. 134 is more explicit on the point: “Commission decisions adopted and authorization by supervisory authorities based on Directive 95/46/EC remain in force”.

In other words, if yesterday Italy, Spain, Sweden and (or, if you wish) UK had a specific regulation on anyone of these items, the situation shall remain the same and businesses will continue to cope with different regulation for the same processing in different countries[6]. On one hand, this is logical: if all these regulations were repealed, there would be an enormous legislative vacuum and personal data would not be protected. But different regulations on the same subject shall still be in place all over Europe.

Finally, according to Whereas n. 119, “Member States may lay down the rules on criminal sanctions for infringements of this Regulation”. Again, this is going to create differences between the laws of Member states and set the condition for a round of forum shopping, just as it happened with Directive 95/46/EC.

The sad conclusion is that no, there is not going to be one single law in all 27 Member states. This is what we were told, but this is not going to be the case. It is extremely disappointing, since I believe Europe has a duty to tell the Europeans the real story. It has not been the case with the GDPR.

 

2. The state of the art and the GDPR

Rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale…Technology has transformed both the economy and social life”[7].

These developments require a strong and more coherent data protection framework”[8].

Yes, technology has changed our lives, and shall continue to do so, in a way and at a pace we can hardly imagine. I have always made the point that if one compares the IT industry to the automotive industry, we’re about at the time of the Ford Model T (whose production started in 1908). The Model T looked pretty much like Granma Duck’s old car. If one compares the timeframe, considering that widespread use of the net and of IT technology has started in the last decade of the past century, that’s where we are. In other words, what we see and what we know to-day is only the beginning. Industrial robots have been used in manufacturing for more than two decades now; medical robots are used in complex and non-invasive surgery, many of them are operated via network, so that the surgeon is not present in the location where the surgery is being performed, but outside the hospital, and in some cases in another country. Robots are starting to be used in households.  Drones are one of the hottest items in the marketplace: Amazon is said to be using them to deliver its parcels. Computing power and storage capacity is getting faster, cheaper and more easily available at ever decreasing cost. Telecommunication technology is moving ahead with unprecedented speed. Users and consumers are linked 24 hours a day, seven days a week; they buy goods on line, participate in auctions, post comments on restaurants and on any commercial item available under the sun. Big data is getting bigger and bigger, fostered by a surge in availability of different means of connection (gaming consoles, smartphones, tablets); cloud computing is now used by medium and small business thanks to IT giants like Microsoft, Google, Amazon, etc. Internet of things shall open more potential for new and creative use of old household objects: lights, heating systems, tv sets, fridges, etc.

Without a doubt, the biggest change (and the most taunted one) shall be in the automotive industry, that for the first time in its history is opening up to the use of a technology other than engine technology. In this industry many example of automation or digitalization are already a mature technology (to name one: gps or similar technology is available on almost every car), and the declared goal of the Googles and Apples of this world is the autonomous car. This will change even more the way we live.

This dramatic and continuous change seems to have been missed by European Legislators. The GDPR is still based on the same principles and logic of Directive 95/46/EC, with some changes here and there, but the basic structure is the same. On its part, the Directive is based on the principles of the Strasburg Convention[9], which dates back to 1981. The question is: does someone really believe that the complexities and the technologies of this century can be regulated by a set of rules that were established 35 years ago?

Does someone really believe that the information-consent process, in the way it is conceived today (and shall remain, with the new GDPR), is the answer to the advancements of technology?

I do not believe, as some famous law scholar does, that technology is the law and that we should therefore cave in to any and all new development of science and IT. That’s not my position.

On the other hand, using a standard that was devised at a time when the computing model was the old IBM mainframe is unacceptable. With this standard, it shall become more and more difficult to comply with the law, to apply it to new devices and usages, to the creative new products and little things that we are starting to get used to, and that shall be the norm in the future.

No, in my opinion the GDPR is not a step forward, but a meaningless repetition of an old cliché, another painful evidence that law cannot keep the pace with technology.

 

3. A final point

The GDPR is, beyond any doubt, one of the most complex statutes ever enacted by the EU. Including the lengthy whereas clauses, the Regulation is some 200 pages long, with many (too many) sections interconnected among them; several of the key sections of the law have cross references to other sections; complex wording leaves ample room for dubious interpretation, in short, the GDPR  is one of the most complex pieces of legislation ever. The cost of education on this Regulation is going to be very, very significant. The press release of the EU maintains that with the GDPR there shall be savings for 2.3 billion for business. I do not know who arrived to this figure, but what I know is that the GDPR shall require a significant shift in the way companies carry their business: a large number of companies shall hire a Privacy Officer; all business are now required to maintain a record of all processing activities (whatever that means)[10], to carry out a security assessment, to implement prior consultation with the DPA (in certain cases) etc.

There are no doubts in my mind that the protection of privacy is a fundamental human right[11] and that “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls “the right to be left alone”.[12]

If Europe wants to be serious in protecting the right to be left alone, adequate legal instruments have to be put in place: they have to be simple, easy to understand and easy to implement, otherwise they shall fail.

 


 

[3] “ePrivacy Directive: Assessment of transposition, effectiveness and compatibility with proposed Data Protection regulation, SMART 2013/0071B1.  Sec. B.1- Analysing the legal consequences resulting from the co-existence of the ePrivacy Directive and a data protection Regulation”.

[4] See footnote 1.

[6] In addition, on several items the Regulation leaves room to the member states to implement their own regulations and statutes: see whereas 125 a on scientific research, whereas 127 on access to personal data by the Supervisor Authority.

[7] GDPR, Whereas # 5

[8] GDPR, Whereas # 6

[9] Strasbourg Convention of January 28, 1981, n. 108

[10] Sec. 28 of the GDPR: the list of items to be included in this list is quite comprehensive.

[11] GDPR, whereas 1: “The protection of natural persons in relation to the processing of personal data is a fundamental right”.

[12] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890).