GDPR: the risks of empowering lawyers, not citizens
While the General Data Protection Regulation constitutes a remarkable example of what the European Union can achieve for EU citizens, the implementation reveals some failures for their data protection.
From a EU citizen’s perspective, it is rather exceptional to observe how much the General Data Protection Regulation (GDPR) was publicised, commented upon and praised as it entered into force on 24 May 2018 and became applicable from the following day. The GDPR repealed and replaced the old 1995 Data Protection Directive. This regulation of immediate and EU-wide application incorporates among its ninety-nine provisions many rights, some new, for all EU citizens: right of consent, right to access, correct and move your data, right to be forgotten, right to clear and accessible information, a ban of decisions based solely on automatic processing, etc. The reform is also procedural, as it enhances the public enforcement powers of data protection authorities and the private enforcement capacities of EU citizens.
While the GDPR is supposed to convert the European Union into the world’s lead privacy regulator, from a citizen’s perspective, this new bold achievement has not been deprived of early failures. By failures, I refer to issues in implementing the GDPR that have not contributed to the increase of citizens’ rights. This blog briefly reviews the most obvious of them.
First, it is difficult to ignore the intended failures of the GDPR. The legislation does not only achieve progress in data protection. For instance, the GDPR could lead to the weakening of the right to be forgotten. This right has been introduced by a ground-breaking ruling of the Court of Justice of the European Union in the Google Spain case (C‑131/12, decided 13 May 2014, ECLI:EU:C:2014:317). It led Google and others to dramatically shift the way personal data is exposed online. Although the GDPR proposal of 2012 already included a right to be forgotten, a bold move from the European Commission at the time, the text finally adopted by the Council and the European Parliament seems to represent a partial retreat from both the initial proposal and the case-law, weakening, as a result, EU citizens’ right to be forgotten, according to de Hert & Papakonstantinou (in the Computer Law & Security Review, vol. 32, p. 179) and Di Commo (in the Italian Law Journal, vol. 3, p. 623). Concretely, the GDPR does not define the right to be forgotten and its Article 17 lacks clarity, includes significant exceptions and omits key elements, such as the role of search engines.
In addition, much uncertainty remains over the meaning and the reach of some provisions. This uncertainty is not unintended, it is the mere, some would say normal, consequence of a political compromise in a legislative text of general application. However, the uncertainty has been generating many challenges. Challenges for companies to understand their obligations and to comply. Challenges for EU citizens to understand the extent of their rights. Challenges for data protection authorities and lawyers to educate the public about the consequences of the law. As a result, the fact that data protection is now governed by a directly applicable EU Regulation has not prevented significant divergence in interpreting the new law. Even more importantly, this divergence and a poor understanding of the law seems to have led many companies to underestimate the reach of their new obligations. Suffice to look at one’s email box to see how generic, unclear and often misleading information has been given to EU citizens about their rights. This uncertainty is clearly detrimental to the new data protection supposed to be given to EU citizens.
Secondly, unintended consequences often derive from this lack of clarity. The massive spamming of EU citizens preceding the date of GDPR entering into force is one of the very well-known paradoxical consequences of the GDPR. An analysis of GDPR-related spam, when it has been sent, shows that data processors frequently do not provide for clear information about the data recipients, the data processed and the reasons for data processing. The right of affirmative consent is also often ignored. Furthermore, data processors do not always provide for a right to erase data, despite their obligation under Article 12(2) and 17 GDPR. The provided facility often remains a simple ‘unsubscribe’ option, which is largely insufficient to guarantee the effective erasure of personal data. Furthermore, despite the large territorial scope of the GDPR (see Göman in the Common Market Law Review, vol. 54, p. 267), data processors of third countries may continue to ignore the protection of EU citizens’ data. Conversely, another unintended consequence and failure of the GDPR is the termination of some services, particularly from providers established in third countries. While the GDPR is revealing how precious data is for the economy, it is also highly demanding for companies. A few companies, often of small and medium-sized, relying heavily on data, have decided to terminate services or to close altogether as a result of the GDPR. Sometimes, it is due to an erroneous understanding of data processors’ obligations. It has been particularly exemplified by the unexpected decision by some US media, ranging from Los Angeles Times to the Orlando Sentinel to block EU users from accessing their websites in the wake of GDPR’s implementation.
While the GDPR clearly represents a leap forward for EU citizens’ rights and constitutes a remarkable example of what the European Union can achieve for its citizens, the GDPR’s implementation has revealed important failures for EU citizens’ data protection. These failures are primarily related to the lack of clarity of the new legislation. The evidence suggests that the six years it took the EU to enact and apply the GDPR since it was first proposed in January 2012 by Commissioner Viviane Reding, represented a missed opportunity to better educate companies about the impact of the GDPR. It also suggests that the GDPR has only been partially effective and that much clarification and enforcement would be needed to ensure the correct application of its modern standards of data protection. As such, the GDPR is magnifying the long pitfalls endured by EU law: lack of effectiveness, consistency and understanding of the rights and obligations it creates. It is to hope that the European Union will learn from the GDPR and attempt to find remedies to its failures when adopting and implementing the future e-Privacy Regulation. Otherwise, the law will keep empowering lawyers rather than citizens, following Bentham’s famous line that, ‘the power of the lawyer is in the uncertainty of the law’.