Opinion piece by Martin Schmalzried, Policy and Advocacy Manager, COFACE Families Europe
On the 25th of May, the General Data Protection Regulation (GDPR) will fully enter into force.
Everyone is feeling the pressure. All over the Internet, users are being harassed, receiving dozens of emails from long forgotten newsletters begging you to click on a button to confirm your subscription or else they won’t be able to continue to harass you, or notifications from services you occasionally use telling you that “everything’s gonna be alright, we got all the personal, detailed and sensitive data (that you didn’t know you shared with us) secured and treated with the highest confidentiality, except maybe for that one time…” All over Europe, any person, entity or organisation handling some form of personal data is running around like a headless chicken collecting consent forms, making sure that it’s OK to have access to your birth date, your gender, your address or your email. Is it proportional? Is it fit for purpose? Does it respond to data minimization criteria? Do they have a “legitimate interest” in handling such information? What if they get “caught” mishandling your data? What happens then?
The GDPR is the most recent attempt, by the European Union, to address the growing concerns related to privacy and data protection. While there is still much uncertainty over just how much the GDPR will change our daily digital lives, it is important to demystify a few things.
First, don’t worry. The main purpose of the GDPR is not to drag a million+ organisations or persons to court, and make them pay hefty fees because they put your birth date in an unprotected excel sheet. The GDPR is there to gradually bring about privacy mindful data handling practices for all actors. While everyone will have to comply with the regulation, it will take some time to put in place those practices. If the 25th of May deadline got you brainstorming and exploring better ways of handling personal data, then you’re on the right track. Only huge organisations or companies that handle massive amounts of personal data should be worried, as they are most likely to be the first “targets” of legal proceedings based on the new regulations (at least in the short term).
Second, although they have been explained in more detail by the Article 29 working party (a consortium of National Data Protection Authorities), many of the provisions inside the GDPR remain general and it is still unclear how exactly they will be applied in practice. Thus the court cases against companies handling massive amounts of data are necessary, if only to understand how some of those provisions will work in practice. The court cases brought by Max Schrems against Facebook several years ago follow this logic. In order to gain more clarity on how a regulation or law will be applied, it needs to be interpreted by the courts in concrete legal cases first.
Third, while the GDPR remains general in scope and some argue it is already “outdated”, there are several provisions that can potentially revolutionize how personal data is handled, stored and processed.
– The data portability principle coupled with the data minimization principle could allow users to regain full control over their data. Instead of companies or third parties storing personal data on their own servers, users could host the data themselves, on a cloud service of their choice, and maintain a list of permissions which grants access to certain parts of their data to various services and third parties.
– The proportionality and “fit for purpose” principles, coupled with the right to protest against automated decisions, could lead to fairer treatment of consumers in a variety of services like calculation of risk for personal insurance, creditworthiness checks, dynamic pricing practices or targeted advertising.
Nevertheless, there remain many unanswered questions and negative impacts of the GDPR, notably around the areas of consent in the case of minors. COFACE Families Europe would have been more in favor of strong privacy and personal data protection principles by default rather than focusing on consent, especially in the case of minors (below 13 to 16, depending on the interpretation of the law) which will have to ask their parents to provide consent on their behalf for all the services they use.
COFACE Families Europe will continue to monitor how the GDPR will be enforced, and provide guidance on how best to interpret the general provisions of the GDPR to achieve the highest protection and privacy for the personal data of all families, children and parents alike.
For more information about this piece: firstname.lastname@example.org
**DISCLAIMER: All opinions in this article reflect the views of the author, not of COFACE Families Europe**
Photo credit: Technology image created by Freepik