In less than a year, the EU General Data Protection Regulation (GDPR) will become applicable in all 28 member states of the European Union. Adopted in May 2016, the law is now halfway into its implementation phase. On this occasion, we are providing you with a state of play of GDPR-readiness. That includes a look at the objectives of the GDPR, how implementation is proceeding, how data protection authorities (DPAs) are preparing, and relevant legal cases.
First things first: the GDPR is here to protect your rights and create harmony in the law
Those of you who do not live in the Brussels bubble might not know very much about the GDPR. It is a user-centric law that replaces and strengthens the 1995 Data Protection Directive. This new law aims to put individuals back in control of their personal information, providing for a broad spectrum of users’ rights and a clear set of obligations for companies. These harmonised rules will benefit companies that have operations across Europe as well, lowering the administrative burden and providing legal certainty. But perhaps the biggest revolution is a new enforcement mechanism with significant fines to discourage companies from breaching the law. Under the GDPR, data protection authorities can fine companies up to 4% of their total worldwide annual turnover if they ignore their legal obligations and commit repeated, serious infringements. That’s important. Many companies have been diligently ignoring EU data protection norms for the past 25 years, and now they will have a lot of catch-up to do to avoid these significant fines and (finally) respect our fundamental rights. A new cooperation mechanism between data protection authorities will facilitate and harmonise the enforcement process.
How is implementation proceeding? That depends on where you live
Due to its nature, the new regulation provides a (mostly) harmonised, directly applicable set of rules to be uniformly enforced across the EU. Why are we saying “mostly”? Because following intense industry lobbying, lawmakers have introduced some “flexibilities” in the law, leaving the implementation of certain measures at the discretion of individual member states. Every EU country has two years to decide on those flexibilities and develop national laws to implement them.
This scenario of course contradicts the original objective of the GDPR, which was to ensure that new data protection measures to strengthen your rights would be delivered in a harmonised manner across the EU. Under the GDPR, someone living in Bulgaria should have the exact same data protection rights and access to remedy as someone living in Luxembourg. Civil society — including Access Now — is now working within the implementation process toward that original objective, so that users’ rights are fully protected everywhere in the EU — and companies won’t have to deal with a patchwork of protections when they roll out their products or services across Europe.
One key avenue for individuals to effectively exercise their rights under the GDPR is authorising an NGO to represent them before the courts and data protection authorities. Right now, not many people in Europe are aware that they have data protection rights, nor do they know that public authorities are there to help protect those rights. If your data protection rights are violated, having the option of NGO representation can help empower you. It opens up more avenues for remedy, increasing the chances that violations of your rights will not go unpunished.
The GDPR made this capacity a possibility for every member state, but unfortunately left it to each state to decide whether it will be allowed under their national laws. This has made possible a race to the bottom on protecting your rights in countries where collective redress and NGO representation are not yet part of the national legal system. For instance, lawmakers in Austria have advanced a draft law for implementing the GDPR that does not allow NGOs to launch data protection complaints on their own initiative. We hope that legislators in Austria will reconsider this approach. The Austrian NGO epicenter.works is working to fix the draft law to safeguard users’ rights and has produced a detailed analysis of the major shortcomings [DE]. Access Now has also provided comments to Austria’s legislature to ensure that NGOs can initiate complaints that hold companies accountable for violating the law.
Germany’s implementation of the GDPR is also far from perfect, despite the fact that the country has been a long-time defender of privacy and data protection. Germany was the first EU country to fully implement the GDPR but the EU Commission criticised its original proposal for going beyond even what is authorised under the flexibilities. Independent news outlet Netzpolitik.org extensively reported on the negotiations on the bill, which was adopted by the German Parliament in May 2017, and concluded that “the worst had been avoided”. Even though the end result has flaws, lawmakers removed from the legislation many of the provisions that presented serious risks for data protection and self-determination before it became law. For instance, they removed provisions that would have limited users’ rights to be informed, and to control how and why a company processes their information. These provisions not only failed pass muster from a fundamental rights perspective but were also in clear violation of the GDPR.
Needless to say, we expect more from EU states when it comes to respecting and ensuring our fundamental rights, including the right to data protection. Many countries have yet to complete their implementation process, and we caution EU lawmakers against introducing limitations to the GDPR rather than working to ensure an upgraded and harmonised level of protection for everyone in Europe. We also encourage governments to work closely with their data protection authorities. Many of these authorities are currently providing very useful materials to help companies prepare for compliance with the GDPR, and to help people understand what the law entails and how to enforce their fundamental rights. See for instance the materials prepared by the Portuguese Data Protection Authority, the Spanish, or the French.
Are data protection authorities prepared to enforce the law?
It’s not just EU lawmakers and companies that are gearing up for the GDPR. The data protection authorities are also preparing to monitor compliance with the new rules and to put in place the European board that will ensure harmonised and consistent enforcement across the EU.
The authorities recently provided a preview of what future joint investigations could look like: the DPAs of the Netherlands, France, Spain, Hamburg, and Belgium worked together to investigate Facebook’s privacy practices. As a result, the company was found to be in violation of EU data protection law, in particular for processing sensitive personal information related to users’ health and religious or political views without their consent. The French authority therefore fined the company while authorities in Belgium and the Netherlands conducted further judicial investigations into the same activities. While this is not the first time that authorities have conducted such a joint action, it has been rare. This should change when the GDPR becomes applicable.
Relevant legal cases
We can see further into the crystal ball by looking at cases that EU data protection authorities have been involved in.
Data protection authorities have participated in court cases regarding the application of the former Data Protection Directive. Given the similarities between the GDPR and the former directive, jurisprudence on the former directive is likely to remain highly relevant. In addition, most of the case law developed on the basis of the former directive has been included in recitals and articles of the GDPR, to clarify its scope, application, and interpretation. The Schrems case, as a remarkable example, has clarified that when data are transferred from the EU to a third country, that country must ensure “essential equivalence” in the protection of personal data.
EU data protection law has also been interpreted in the Google Spain case, which articulated the right for internet users to get certain search engine results using their names delisted, popularly known as the “right to be forgotten”. The interpretation of this right has raised a large number of concerns, in particular due to the risk for freedom of expression and information, and for the discretion left to private entities like Google to determine whether a search result should be delisted or not. The Court of Justice of the European Union will soon rule again on that matter, as the French Conseil d’Etat sent a case opposing Google to the French DPA regarding four delisting requests that Google denied.
Parallel to this, Google and the French authority are having another legal battle in front of the Conseil d’Etat regarding the scope of the de-listing. In 2016, France’s DPA fined the Google 100.000€ for failing to comply with an order to extend the application of a European privacy ruling across its global domains, including google.com, rather than limiting the delisting to google.fr. Google has lobbied intensively to limit the application of the “right to be forgotten”, arguing that delisting requests should be limited to a specific jurisdiction.
Both cases are expected to be resolved over the next two years. They will bring clarity to the application of the “right to be forgotten” in Europe, which has its flaws — in particular the lack of transparency in decision-making for delisting, and the limited avenues for remedy. The cases will also have global impact, since several countries have attempted to apply a “right to be forgotten” in their own jurisdictions, often outside data protection regimes. This has opened the door to abuse of human rights.
What’s next? Stay tuned.
As we note above, we’re halfway to the GDPR, and there are sure to be many more developments as lawmakers across Europe finalise legislation, DPAs prepare for enforcement, and the courts make rulings on data protection and related laws. Our focus is on the users, and we’ll keep you updated.
Of course, the GDPR is only one piece of the puzzle for the rights to privacy and data protection in Europe. If you’d like to learn more, here is information regarding the ongoing EU reform of online privacy laws (“e-Privacy”), which will complement the GDPR.