It took lawmakers in the European Union more than five years to design a new regulation on data protection, the so-called General Data Protection Regulation (GDPR). At last, it becomes active on 25th May 2018. With the GDPR, data protection has been modernised for the ever-changing 21st century. It will give citizens control over their own information, and smaller businesses will have an advantage over big international ones. This is cause for celebration on 25th May, and we look at why this is a win for Greens and the public:
More data protection is necessary and was asked for
Most of us browse the web daily. We use online tools, cloud services, email providers, etc. Whilst a large majority (7 out of 10) of EU citizens are concerned about their information being used for a different purpose than the one it was collected for - very few of us understand where our data is being processed and to whom it is being transferred.
Personal data comes in many forms. It can be personal information about us that is being stored online; it can be our phone number in an address book; or it can be our medical records stored in a file at our local doctor’s office. Some of this data is by nature more sensitive, which is why they deserve a high level of protection. A majority of citizens wish to take back control over their data.
Until now, a directive from 1995 regulates data protection in the EU. A directive is a legal text that requires member states to achieve certain results without prescribing the means to achieve them. Some years ago, people realised there were two key issues: firstly, the current legal framework is a patchwork of different national laws that make it very difficult to know exactly what is legal in which member state. Secondly, the directive does not reflect the recent rapid developments in the IT sector, allowing for data processing and analysis that was unthinkable in 1995.
The Greens are celebrating the beginning of application of the GDPR, because it is:
Brilliant for citizens...
There are numerous advantages for citizens. With the GDPR comes:
• the right to be forgotten (companies have to delete personal data upon request and even forward the request to third parties processing the data),
• the right to object to data processing (even by merely activating a “do-not-track” option in their web browsers),
• the right to data portability (receiving personal data in a commonly used format and being able to easily transfer it to a different service provider),
• and the right to disclosure (knowing exactly who treats what personal data).
At all times, the processing of personal data requires the consent of the person concerned. This gives back control to citizens, especially because this consent needs to be freely given, specific to the situation, informed and unambiguous. Users of a web service cannot be confronted to a “take it or leave it” choice anymore, as a service cannot be offered solely when the user accepts the processing of their data exceeding what is strictly necessary for the service. But can we be sure companies care about these new rules? Yes! - the GDPR allows authorities to sanction breeches of data protection. These sanctions can be as high as 4 % of the global turnover of a company – for big players like Facebook, these sanctions can be in the billions.
...and advantageous for businesses
Businesses in the EU can rejoice about a common standard applicable in the EU, but also for everyone handling data of EU citizens. Unfair practices of big international corporations settling in EU member states with the weakest data protection laws (“race to the bottom”) will end. Smaller companies on the European market will have an advantage over big international players for applying the strictest standard worldwide and thus being fit for the entire world. And because companies around the world have to comply to the new rules (“market location principle”), there is no need to fear an exodus of tech companies from the EU.
The GDPR also holds another advantage: A one-stop shop principle allows companies and citizens to refer to the data protection authority in their respective member state. The authorities will coordinate with each other and sort out the request. No need for cross-border and language requests from companies or citizens.
Time for celebration
In the European Parliament, MEP Jan Philipp Albrecht has been the driver of this extensive legislative project. As the rapporteur for the law in the LIBE committee, he spent countless hours discussing with stakeholders and citizens, convincing his colleagues, and finally finding an agreement among a large majority in the plenary. The long walk to the GDPR is also the subject of a movie worth watching called Democracy (Trailer). We believe the effort was worth it. If you agree, celebrate with us on 25th May 2018!