Vera Jourova, the EU’s justice commissioner, describes it as a “loaded gun” in the hands of regulators. On May 25th 2018 the EU introduced the General Data Protection Regulation, which will, its advocates argue, dramatically improve the care with which organisations both within the EU and elsewhere treat our personal data .
GDPR will harmonise data protection rules across the world’s largest trading bloc, give greater rights to individuals over how their data is used, put in place significant protections for children and streamline regulators’ ability to crack down on breaches. When the new rules were first proposed, many executives in Silicon Valley derided them as restrictive and anti-competitive. But in the wake of the scandal over the use of Facebook data by Cambridge Analytica, Europe’s approach to data privacy has started to appear much more relevant.
According to many companies and data protection authorities, GDPR could become the global norm, setting standards for behaviour not just in the EU but in countries where hitherto individuals have had few weapons to defend their rights online.
“Europe was way ahead on this,” Sheryl Sandberg, Facebook’s chief operating officer, admitted last month. Yet as the final countdown to May 25 begins, cracks in the EU’s vision have appeared. Many businesses are unprepared for the new rules and several countries have failed to pass the necessary legislation to implement them nationally. Serious questions have also been raised about the ability of data protection authorities across the bloc to enforce the new rules adequately. “Everybody is leaving it until the last conceivable moment, despite the fact there was a two-year deadline,” says Harry Small, head of data protection law at Baker McKenzie. “Quite a lot of companies have not really woken up.”
Even critics acknowledge that GDPR will introduce a new rigour into the messy patchwork of rules governing how our data are treated across Europe. It requires any organisation anywhere in the world that handles the personal information of an EU citizen to be transparent about how it collects, stores and processes it. Organisations must obtain unambiguous consent to use and retain data, keep it up to date, delete old data and — if they have a large volume of personal information, data subjects and range of items — will have to appoint a data protection officer.
Consumers will have the right to ask for the information companies hold about them and request that their data is deleted from business databases. The rules forbid companies from processing data on race, ethnicity, political opinions, religious beliefs, trade union membership or sexual orientation without explicit consent.
Ultimately, the impact of GDPR will depend on whether individuals decide to exercise the greater powers the rules give them. They are part of a growing worldwide push for customers to mature into “digital adults”, with both greater control over and responsibility for their own information. Proponents hope that GDPR will help individuals become both more demanding and more aware of their power.
“Data subjects are going to become increasingly aware of their rights, and they’re not going to put up with poor practices by organisations,” says Helen Dixon, Ireland’s data protection commissioner. But she points to the fact that Facebook’s registered users have increased even while the Cambridge Analytica scandal has raged as an example of the so-called “privacy paradox”, that while people say control over their data matters to them, they have remained, by and large, casual about relinquishing it.
It is not just organisations which are lagging behind. In January the European Commission said that of the bloc’s 28 member states only Austria and Germany had fully adopted changes to their legislation ahead of the new regulations. While countries such as the UK are expected to pass the laws at the last minute, Baker McKenzie says five EU countries, Bulgaria, Greece, Malta, Portugal and Romania, have not even published a bill or proper information about how they will implement GDPR.
For organisations which remain in breach of the new rules, failure to comply could bear a high cost, with fines of potentially 4 per cent of global turnover or €20m, whichever is the greater. The cost of putting things right, as well as the reputational hit, could be even higher.
But there are significant question marks over whether those in charge of enforcing the new rules are up to the task. As early as 2015 Jacob Kohnstamm, former chairman of the Netherlands’ data protection authority, was warning that organisations breaking the rules faced “little chance of being caught”. Given his organisation’s budget to do investigations, “the chance of having the regulator knock on your door is less than once every thousand years”.
The resources available to most European DPAs’ budgets are still a fraction of those in North America — and have only risen by about a quarter on average across the bloc in response to the increased demands on them that GDPR represents. Giovanni Buttarelli, the EU’s European data protection officer, warned at the end of last year that the number of people working for regulators in the EU — about 2,500 — was “not many people to supervise compliance with a complex law applicable to all companies in the world targeting services at, or monitoring, people in Europe”.
Source: Financial Times – To read the full story click on this link