DiPP - The GDPR story: an early, wide-ranging assessment"

The General Data Protection Regulation 2016/679 aims to address the protection of natural persons with regard to the processing of personal data and the free movement of such data. It is seen in the EU as an essential step to strengthen citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the digital single market. A single law will also do away with the current fragmentation and costly administrative burdens.

The regulation came into force on 24 May 2016 and will apply from 25 May 2018. Over the last few months, Brussels has been increasingly referred to as the world’s regulatory capital for data protection. What was meant mostly as a tribute felt sometimes like a dubious privilege and a steep challenge as the day of reckoning was drawing near. Will this complex legal construct with sprawling geographical scope stand the test of time?

These leading experts have agreed to launch a multi-faceted DiPP conversation on this critical topic:

The GDPR, a milestone regulation, has made the EU popular around the globe. The world is indeed watching this unique mix of privacy protection and improved business environment as it is being enforced in a development which is at once a lesson in how Member States relate with Brussels.  But flawless implementation is a prerequisite for it to travel well: future will tell…

The GDPR should not be held in isolation but seen as an integral part of the EU’s digital strategy, complete with DSM, AI, etc. More critically, it offers an opportunity to restore trust online, hence to boost all business which is targeted at the EU. The message it conveys is clear and timely: privacy matters, particularly in the fallout of the Cambridge Analytica fiasco.

A bird’s eye view of where the GDPR stands five days after deployment would spot this:

• In France, the implementing law should be ready by mid-June. The CNIL’s remit doesn’t stop there though: their website is teeming with guidelines, checklists and tips meant to educate business and the general public, from drawing the right line between controller and processor to self-initiated privacy impact assessment or how to handle data breaches. Incidentally two class actions are in motion there, courtesy of Max Schrems and La Quadrature du Net. The Article 29 Working Party (soon to become the European Data Protection Board) has produced no less than 15 guidelines over the last 4 years.
• In the UK, business has embraced GDPR enthusiastically: it is perceived as a game-changer. The CA fiasco helped spread the idea that time has actually come to address privacy seriously and to curb data misuse. While awareness is on the rise, there is still confusion: business and the general public need to understand their rights and obligations better. Anyway, only case law will clarify such a complex legislation properly over time. One issue to be sorted out is the adequacy of various DPAs’ human resources. The ICO is well equipped in this respect and has a good record of delivering on its remit: this may help the EU consider the UK government’s request to let the ICO stay in the EDPB after Brexit in the context of a ‘data partnership’ that goes beyond mere adequacy. If the UK cannot be granted an adequacy decision, who can? Mr Barnier’s lukewarm reaction reflects the context of a broader negotiation: horse trading tends to trump logic when push comes to shove. Incidentally, the UK – a world champion of data flows – is talking to Japan and the US on the future protection of personal data: techUK’s latest report on the impact of data flows is worth a look.
• Beyond the EU, the Council of Europe has managed to gather its 47 Members around Convention 108, a treaty opened to third parties. The European Convention on Human Rights is fully compatible with GDPR.
• Beyond Europe, 120 countries have their own privacy laws. To serve the needs of global business, an open approach is needed to develop cooperation at a higher, hence more efficient level. With this in mind, Isabelle Falque-Pierrotin, while chairing the Article 29 WP, made it a point to reach out to the rest of the word, with a focus on Apec and Latin America.

Business is generally well prepared, although technical expertise won’t mix easily with legal skills. In-house dedicated Data Protection & Privacy teams help everybody understand that this challenge is mission-critical. Media hype proved propitious to this effect as it raised the attention level across the board. But the key player is definitely the project manager, the true face of a radical albeit smooth cultural change. While no one can be 100% ready at all times, a robust process makes sure that one will rise to the challenge of compliance whenever needed. Controllers’ burden has definitely turned heavier but a winning approach would have all stakeholders ask themselves: what is it exactly we want to protect? It may be that over time the experience will feel like peeling an onion: parts that are core to the goal will call for undivided attention while other pieces may be worth less consideration. Because the GDPR is a living body of law still in its infancy, an open dialogue with the EDPB looks critical to keep the GDPR fit for technological developments. For instance, Blockchain may not be able to support the right to erasure: should the EU downright skip this enabling technology?

Innovation needs a fully operational internet. Therefore the GDPR impact on the WHOIS database has to be assessed thoroughly. Law enforcement officers used to be comfortable with a database designed in the 80s, when the internet was small. In contrast, adjusting to a variety of DP laws across the world was ever going to be a challenge. For instance, designing guidelines accepted by all registrars will never come easy. Therefore continuing dialogue with all stakeholders is instrumental to collectively shaping the future right. This will also help cope with unintended consequences: as if echoing the uncertainty related to Blockchain’s inability to erase data, the ePrivacy legislation may, depending on the definition of transmission, undermine the basic operations of telecom operators. Indeed, for lack of being addressed in time, some issues end up in court, as exemplified by the ICANN case right now in Germany. Clarity makes things easier too. A tight stakeholders’ dialogue with EDPB would make for a good start. Yet, as it happens, the FabLab experiment (around 100 people invited) proved somewhat disappointing, with civil society remaining mostly silent.

Not surprisingly, the GDPR was deemed to be a work in progress. ICT is disruptive by nature: taking cues from how it works may afford regulators the agility they miss occasionally.