international analysis and commentary

Data protection, Europe’s head start

189

The new European regulation on the protection of data is poised to launch a new global regulatory system. It will serve to protect the rights of the individual in the information society and allow Europe to have a dominant voice in the international debate on ethics and law in the digital ecosystem. It is now up to the businesses on the continent to adapt quickly and effectively to the dictates of the new regulation.

 

The General Data Protection Regulation (GDPR) was approved by the European Parliament and Council in late April 2016, and it officially went into effect on May 25, 2018. In contrast with previous undertakings, the regulatory nature of the GDPR offers a legal framework that is both formal and binding for member states, thereby harmonizing at European level the fundamental principles underlying the control and protection of personal data, and creating a new category of rights within the post-Lisbon treaties system.

Today, however, data privacy reform has yet to be completed. Despite the all-inclusive nature of the GDPR, some of its 99 articles leave the possibility open for individual countries to legislate independently in such a way as to further define the regulation’s instructions – in the case of some clinical or biometric categories for example. While some eu member states have already issued special laws by which to comply with the dictates of Brussels, others are still in the implementation phase. Alignment proceeds, but there is still confusion, which is creating problems for the private sector and for many companies that missed the deadline and are now furiously restructuring in order to embrace the new European rules.

 

THE REGULATION’S POTENTIAL. The GDPR has ushered in numerous benefits as much for consumers as for businesses operating in the digital economy. The new European regulation is based on the dual pillar of “privacy by design and default”, a concept formalized in 2010 by Ann Cavoukian, then-commissioner for privacy of the Canadian province of Ontario. According to this approach, the privacy of individual data must always be considered the default position by businesses; it must also be taken into account in the design of algorithms and digital services from the earliest stages of their development. Instead of indiscriminately amassing data, businesses are obliged to treat personal data solely in the manner necessary for their immediate ends. For European citizens, the new regulation facilitates access to and management of their data by introducing the right to individual portability (the ability to request the transfer of their data from one platform to another), and the right to cancellation (to be able to oblige companies to delete their data, thereby undermining the creation of monopolies in the digital economy).

The need to modernize European policy is being spurred, on the one hand, by rapid developments in digital technology that have made the 1995 Commission data protection directive obsolete. On the other, the globalization of communications networks and the consequent flow of personal data – with the growing danger of cyberespionage, not least by foreign security agencies – have increased public sensibility to the issue of digital privacy. Indeed, the European Commission had already proposed an initial legislative draft of the GDPR back in January 2012, and the Council of Europe itself undertook the reform of its Convention no. 108 on the automated treatment of data approved in Strasbourg in 1981.

As regards European businesses, the GDPR introduces immediate organizational costs, but promises to strengthen competitiveness, especially at international level. Indeed, the strict nature of the EU regulation has the potential to facilitate innovation through protected digital services and consumer-friendly products, thereby turning European firms into “champions” of an ethical approach to the digital ecosystem.

The GDPR applies in the strict sense of the term not only to European companies but, more in general, to all those operating on the digital market. That means Google, Amazon and Facebook, who are all being forced to review their data management practices so as not to lose certain slices of the market. This could facilitate a sort of European technological “soft power” that could counterbalance the lack of investment in digital by strengthening the international ethical/legal framework. Thus, European firms better positioned to adapt the pillars of the gdpr could draw advantages from it.

Add to that the informal protection that could be ensured by the new system of sanctions introduced by the EU regulation. Article 83 of the new code, for example, provides that a company that violates user or employee data can be fined up to 20 million euro or 4% of annual global turnover, whichever is the higher amount. This provision offers a powerful disincentive for the worst transgressions – especially for the giants of Silicon Valley and the Far East – and could benefit those European enterprises that are first to comply with the directive. In the first year of the GDPR’s application, sanction levying was little more than nominal: In 2018, for instance, the data protection authority of the German Länder Baden-Württenberg imposed a sanction on an online chat for violating Article 32 on the security of data treatment. Prior to that, Portugal’s Comissão Nacional de Proteção de Dados fined the Barriero Hospital of Lisbon 400,000 euro for having allowed unauthorized access to patient data. The watershed came in January 2019, when the French Commission Nationale de l’Informatique et des Libertés (CNIL), decided in favor of the La Quadrature du Net association’s claim, slapping a 50 million euro fine on Google for lack of transparency in its informed consent to the personalization of online ads.

 

CHALLENGES TO ENTERPRISE. Despite the competitive opportunities created by the GDPR and the onerous price of transgressing, European enterprises have been slow off the mark. According to a McKinsey survey at the beginning of 2018, almost no senior European manager considered his/her firm ready for the regulation’s entry into effect, and expected its application would be postponed beyond the May 2018 deadline. The majority of firms then sought to address the problem by adopting temporary solutions, resorting to the manual control of their databases, starting with the hiring of adjunct personnel. Indeed, the GDPR makes it obligatory for all government ministries and major firms that handle sensitive data to hire a data protection officer to oversee compliance.

Companies operating in digital business-to-business sectors have had to comply with the provisions of GDPR Article 28 on data treatment responsibilities, which imposes stricter measures on the transfer of data along production chains. Companies are obliged to ensure that none of their supplier chain is processing personal data while providing their services, even when that is not immediately visible. Business-to-consumer companies, on the other hand, have another hurdle to face: that of obtaining users’ informed consent to the treatment of personal data. Databases compiled outside the transparency and regulatory criteria of the GDPR risk becoming useless as a commercial asset. In both cases, the arsenal of it instruments available to businesses need to be modernized so they can automatically oversee their data gathering mechanisms, maintain their tangible traceability and meet multiple user requests.

The situation is made more difficult by the fact that member states have a degree of discretion in implementing the GDPR, and can decide to tighten some of the provisions at national level. Indeed, more than 30% of the regulation’s articles contain clauses that allow national legislatures to choose from various options (concerning the minimum age for consent of personal data treatment, for example) and to more specifically define the rules for data protection in government administrations, labor relations and social policy. The risks associated with legislative non-homogeneity are only in part offset by the creation of The European Data Protection Committee (edpc), a new independent institution made up of representatives from the various national authorities, and of a European Data Protection Supervisor. The role of the new entity is precisely to stabilize compliance with GDPR norms through the publication of guidelines and codes of conduct. The edpc differs from a steering committee in that it can issue binding decisions on specific cases when those cases involve more than one European country.

 

THE INTERNATIONAL PANORAMA. Germany is an interesting case: it has a long tradition of personal data protection, and was the first to pass a special law for implementation of the GDPR. The law on the protection of data for the Hesse Lander, approved in 1970, is the first example of data protection legislation in the world. In addition to the federal commissioner for data protection – which is located in Bonn and acts in a supervisory capacity – every Länder has its own data protection authority, and this necessitates continuous interface.

Implementation of the GDPR in Germany has two main features: first, the German legislature departs from the neutrality of European law – which avoids citing specific technologies and devices – to make explicit reference to the problems associated with video surveillance; secondly, it limits some individual rights linked with control and transparency.

In the case of France, the new GDPR regulations had to accommodate the country’s cultural specificity. The first French legislation on data privacy dates back to 1978, and that remained substantially unchanged until the first European directive was issued. Thus, the GDPR has triggered an institutional transformation with stronger supervisory powers than those of the CNIL.

The broadest features of France’s application of the European regulation concern the workings of an administrative machine traditionally infused with a strong government centrism. French legislation provides that a national government performing its public functions need not request the prior consent of its citizens on the treatment of data except when those regard health or genetics.

In Italy, the protection of personal data is not explicitly acknowledged in the Constitution, and for a long time these issues were ignored by national legislation. Only when a code for the protection of personal data was approved in 2003 – on the heels of the 1995 European Directive – did Italy become aligned with the other member states. With the arrival of the GDPR, the Italian government decided to update but not replace the earlier code, in favor of a change in perspective from a model based on the sole anticipatory authorization of the treatment of personal data by the authority to a risk-based approach that incorporates the European regulation’s concept of responsibility.

Italy’s adaptation of the GDPR consents, for example, to its onerous administrative sanctions, but it also maintains criminal sanctions of up to three years in prison for the illegal treatment of personal data. Moreover, Italian legislation is very detailed with regard to the treatment of healthcare data, obliging all public providers to employ a data protection officer and to keep a detailed register of how patients’ data are utilized. Italy has – at least so far – also been the only European case in which the personal data of the deceased are regulated.

Finally, another special case deserving of mention is Japan. With a view to ensuring its businesses’ continuity of access to the European market, the Land of the Rising Sun has decided to align itself with the obligations of the gdpr: its binding regulations guarantee European citizens access to their data. Furthermore, the country has established a claims management system and offers assurances that its government will not utilize the data for any purpose except those strictly to do with national security, also stringently regulating any data’s eventual transfer to third countries. Brussels and Tokyo reached an accord in late 2018 within the framework of the European Union/Japan free trade partnership on recognition of the reciprocal equivalence of their data protection systems.

Based on the values of a new technological humanism, the European regulation is poised to become the basis for a new global regulatory system. Thanks to the GDPR, Europe stands to have a dominant voice in the international debate on ethics and law in the digital ecosystem, thereby helping to steer its development in a direction that coincides with its political and economic interests. In order to fully exploit this potential, however, businesses on the continent are going to have to adapt quickly and effectively to the dictates of the new regulation. Another trick will be to ensure homogeneity in the regulation’s application in the various member states and to keep the GDPR’s common rules from becoming mired in the morass of each country’s national legislation.