APC welcomes the European Union's General Data Protection Regulation (GDPR), which became enforceable on 25 May 2018. The GDPR is the most significant step in recent history towards enhancing people's privacy and giving them greater control over their personal information. The regulation strengthens the rights of individuals with respect to their data (information about it, access to it, ability to rectify, erase, or transport it, and restrict or object to its processing). Under the GPDR, data breaches must be reported, and at a technical level, data protection must be implemented by design and default. Importantly, the regulation also imposes more obligations on those processing personal data, and provides for stronger regulatory enforcement powers, such as fines of up to EUR 20 million or up to 4% of global annual turnover, whichever is greater.
The GDPR's impact will be global, as it applies to any entity, commercial or non-commercial (excluding law enforcement agencies), that holds or processes the personal data of people living in the European Union. It requires those who process personal data to disclose what data they collect and how long the data will be retained. They need to make clear the lawful basis and purpose for the collection and processing of the data and if it is being shared with any third parties. What is most significant about the GDPR is that it represents the most far-reaching regulatory intervention yet, which promises to hold large internet companies accountable for upholding users' right to privacy.
The GDPR has the potential to change the behaviour of the largest data collectors and thereby impact on prevailing internet business models. It touches directly on the question often debated by advocates for human rights online: to regulate or not to regulate? Frequently, internet-related regulations initiated by governments have the effect of restricting rights, rather than upholding and promoting them. The GDPR has the potential to do the opposite and strengthen compliance with international human rights standards by internet companies. Whether it will succeed in this remains to be seen. We applaud the EU for for tackling this challenge.
The GDPR is not a perfect instrument, and in some ways falls short of what privacy advocates hoped it would achieve. The draft regulation was the target of intense lobbying efforts by businesses and interested actors in all sectors, including the United States government, with over 5,000 amendments proposed. The final text contains vague language and definitions. Poor guidelines on implementation give leeway to EU member states on how to interpret the regulation, and on when exceptions would be permissible. It also presents implementation challenges to smaller businesses and non-commercial entities, including to APC and its members. The burden of compliance will be particularly challenging for entities based in countries – mostly located in the global South – where there are no existing data protection regulations. Ensuring compliance with the GDPR, and responding to breaches, is a massive undertaking. This is cause for serious concern. Rather than risk non-compliance with the GDPR, they may decide to not offer their services or products to people in the EU, which represents a lost opportunity both for economic growth and for raising data protection standards where these entities currently operate.
Nonetheless, we hope that the GDPR helps inspire stronger protections for data protection and the right to privacy globally. At a time when companies, governments and individuals exploit people's data to advance their own interests, placing more control of personal information in the hands of individuals and imposing penalties for non-compliance is not just important, it is critical for the exercise of human rights in the digital age.
As an organisation and network of members working globally, mostly outside of Europe, we see particular promise in the GDPR in two respects.
Firstly, it has the potential to raise human rights standards in the internet industry. The GDPR requires companies that are operating both in and outside of the EU to adapt their practices, at least for all data processing that falls under the GDPR. Any company, even if it is located and/or legally registered outside the EU, that wants to do business (offer services, sell goods, etc.) with people in the EU will have to comply with the regulation. Companies are therefore facing the choice of whether they are going to raise standards for all users, or deliberately discriminate against users based on their nationality and implement a dual standard, whereby the privacy of individuals outside the EU is less protected. APC calls on companies everywhere to offer the highest protection of privacy to all users, irrespective of where they live.
We applaud companies that have already announced their commitment to do this. We are extremely disappointed with Facebook's decision to move the data of all its users who are not from Europe, the US or Canada out of Europe, and therefore out of the jurisdiction of the tighter control of user data established by the GDPR.
Secondly, the GDPR provides the opportunity for increasing compliance with human rights standards by governments through data protection practices and legislation in countries beyond Europe. The GDPR requires that certain safeguards must be in place in all countries outside Europe to which data is being legitimately transferred from Europe. Data can only be transferred to countries where there are equivalent safeguards/standards through what are known as "adequacy decisions". This allows for the flow of data between countries, which is critical in the digital economy, while still providing safeguards for privacy. APC calls on governments to improve their overall data protection frameworks to meet the requirements for adequacy decisions.
As noted before, there are some weaknesses in the GDPR and challenges are already emerging in its implementation, including:
Some companies deciding not to offer services to EU citizens because they do not want to take measures to comply with the GDPR.
The onerous costs and resources needed to ensure compliance for smaller/non-commercial entities, including independent and alternative media organisations; costs which could limit innovation and job creation.
A minimalist approach to compliance by some companies, which consists of them sending users more information on what they are doing to comply with the GDPR and why, accompanied by an option to either agree or not to these new terms of service. This is not adequate, as users are given a choice to opt in or out as opposed to being given meaningful control over their data. Civil society actors and human rights defenders need to be in a position to assess whether the explanations provided by these companies are consistent with legitimate purpose. Privacy advocate Max Schrems is already taking legal action in this regard.
While 25 May is an important day, it is not the end point. Implementing the GDPR will require ongoing interpretation of the regulation in order to maintain compliance, particularly as new services, products and technologies are developed. Companies will continuously need to re-evaluate their products, services and data uses as understanding of the GDPR evolves, and civil society will need to continually serve the watchdog function and challenge violations and seek clarifications in the courts. They will also need to assess if the GDPR has unintended negative consequences for human rights, social justice and development. Thus far the most visible manifestation of GDPR implementation has been changes in internet platforms' terms of service agreements, and in the privacy policies of mailing lists and various kinds of institutions. Most of these provide individuals with the choice to opt in or out. As noted above, they do not give users meaningful control over their personal data. Few users are likely to either interrogate the new terms of service closely or to opt out of using products or platforms they are accustomed to using.
For the GDPR to contribute to longlasting and fundamental change in how user data is processed on the internet, compliance needs to evolve to include privacy by design as well as visible and accessible notification of breaches of the regulation. Moreover, it needs to be utilised as an opportunity by governments and non-governmental actors all over the world to pay serious attention to the importance of the protection of privacy in the digital age. The protection of privacy is not only a fundamental human right, it is also an enabling right, and its absence compromises other fundamental rights such as freedom of expression and opinion.
APC will publish a follow-up piece with views from our members and network on the impact of the GDPR on their work.
Here are some useful links on the GDPR: