How Europe Is Driving a New Era of Data Protection
GDPR gained increased attention given the recent Facebook & Cambridge Analytica revelations that placed data protection at the forefront of political debates at the national & EU levels. A month down the line, is it possible to assess its progress?
By Leonardo Sforza and Anthony Adams, MSL Brussels
The fact that data rather than oil has emerged as the world’s most valuable resource is no longer news for our clients and readers following the long-standing engagement of MSL and of the broader Publicis’ agency network around big data.
The ability to gather and move personal data has now become an integral part of trade and business. The value of the EU data economy, estimated at 300 billion Euros in 2016 or 2% of EU GDP, may rise to 739 billion Euros by 2020. In Europe, the increasing value of personal data has tracked with the need to strengthen standards of data protection. On 25 May 2018, the EU’s landmark General Data Protection Regulation (GDPR) came into force with ripple effects for organisations processing personal data of those in the European Economic Area (the 28 EU member States plus Norway, Iceland and Liechtenstein), no matter the legal status of the organization or where it is based.
The ambitious reform that reshuffles rules established in the ‘90s, aims to give citizens more control over their personal data, whilst allowing businesses to benefit from a unique legal framework and level playing field in the processing and transfer of personal information in the expanding data-driven economy. GDPR has gained increased attention given the recent Facebook and Cambridge Analytica revelations that have placed data protection at the forefront of political debates at the national and EU levels. A month down the line, it is possible to assess GDPR’s early progress.
Progress has been made on implementation.
What is GDPR and how does it work?
GDPR governs the manual or automated processing of personal data relating to individuals in the EU. Effectively, the regulation reshapes how an individual, company or public organization collects, uses, stores and transfers personal information, and includes anything from a customer’s name or photo to an e-mail address.
Under the new rules, individuals in the EU have the right to receive clear information about how their data is used and decide whether it should be shared or deleted. Organisations, regardless of whether or not they are based in the EU, will face fines of up to 4% of their annual global turnover or EUR 20 million (whatever is greater) in the case of non-compliance.
At the heart of GDPR is the recently established European Data Protection Board (EDPB) that, with the cooperation amongst data protection authorities, ensures the law is applied consistently across the EU. The Board provides guidelines and issues binding rulings on cross-border disputes. Unveiling the new body on 25 May 2018, Andrea Jelinek, Chair of the EDPB, emphasized that it is crucial to “unite forces to ensure a high and consistent level of data protection for individuals, wherever in the EU they are based”, adding that the structure represents a “new governance and coordination model [with] the power to adopt binding decisions”.
The law is therefore “pan-European”, replacing an “inconsistent patchwork of national laws”, according to a Commission note, that adds that as of now, companies only “deal with one supervisory authority rather than 28, making it cheaper to do business in the EU.”
Since 25 May, 30 cross-border cases are already under investigation. Meanwhile, it appears that until mid-June only 12 EU countries and Norway, have taken all the legislative and administrative measures for the national implementation of the EU regulation and that differences remain, and are likely to emerge, among local rules.
Businesses are facing adjustment challenges.
In view of these stringent new rules, companies have made great strides to ensure compliance, but significant short-term challenges abound. Markus J. Beyrer the Director General of Business Europe, the powerful voice of business organisations in Brussels, said, “we now need to see real follow-up by national regulators to ensure harmonized application of these rules.”
The Financial Times reported recently that companies are under strain from GDPR requests as they adapt to the new regulation, with technology firms, media groups, retailers and banks the most affected due to their large customer databases. The FT article quoted Facebook’s Data Protection Officer, Stephen Deadman, as saying that the company had seen a three-to-four-fold increase in questions in the early days after the introduction of GDPR. Politico, a leading international public policy media, argues in an article that rather than clamping down on tech giants, like Facebook and Google, the law actually boosts their position, given they are better prepared to ensure compliance than their smaller counterparts.
Concerns have risen over transatlantic data protection.
GDPR has been adding fuel to transatlantic tensions, namely in the implementation of the EU-US Data Privacy Shield. Operational since 2016, the agreement aims to protect the rights of those in EU whose personal data is transferred to the US for commercial purposes. More than 3,000 companies have signed up in order to transfer their customers’ personal data to the US.
Legitimate concerns over the Facebook-Cambridge Analytica data breaches have prompted members of the European Parliament’s Civil Liberties Committee (LIBE) to call on the European Commission to suspend the agreement unless the US complies with it by 1 September 2018, emphasizing the need to act on breaches and remove companies found guilty from the privacy shield list.
The possibility of suspension came one step closer at the plenary Parliamentary session of 5 July when MEPs adopted a resolution drawn up by British Labour MEP and Chair of the LIBE Committee Claude Moraes to suspend the Privacy Shield unless US authorities fully comply. Nevertheless, in the debate proceeding to the vote, the EC’s Justice Commissioner Věra Jourová said that she continues to think the suspension is unjustified and that improvements have been made, reiterating her wish for the shortcomings to be rectified in the course of next evaluation process on 18 October 2018. In her speech at the Transatlantic Business Award on 9 March 2018, Commissioner Jourova stressed that the
EU-US bilateral trade in services is almost 450 billion Euro a year. With the ever-increasing share of services in trade, and the importance of data flow for cross-border services, the Privacy Shield has been a central building block of transatlantic economic relations.
A serious disruption of EU-US data flow could reduce EU GDP by an estimated 0.8 to 1.3%.
The implication of Brexit on data privacy rules is still uncertain.
Another ongoing question is the UK’s relationship with GDPR after its formal departure from the EU in March 2019. The UK government is keen on securing an agreement with the EU on data protection, with Theresa May making it a priority in Brexit negotiations, but it has done nothing yet on this front. Indeed, the UK government repeatedly has said that its data protection laws fully align with the EU, advocating a harmonised approach post-Brexit with continued participation in all aspects of GDPR.
For the European Commission, according to its notice submitted earlier this year, the UK will become a non-EU member state and as such it will require an ad hoc decision by the EU on whether UK has adequate data protection that would allow EU data to be processed there lawfully.
Meanwhile, in a June 2018 report issued by the UK House of Commons committee on “Exiting the European Union”, British MPs warned that “there is a high chance of a legal challenge to any proposed UK-EU data international agreement”, creating a short-term regulatory gap with uncertainty for business. It thus called on the UK government “to establish with the EC whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay.” Any disruption in personal data flow would have an important economic impact on both side of the Channel, especially when considering that 75% of the UK cross-border data flow occur with EU countries.
It’s time to address ‘grey areas’.
One month in, the long-awaited implementation of GDPR is well underway and public and private stakeholders have made tremendous efforts to comply with the new legislation. Looking ahead, lawmakers as well as public and private organisations should keep a tab on several issues that remain in the grey zone. These include clarifying rights and obligations, EU Member States finalization of national implementation rules, companies minimizing the negative effects for alleged non-compliance, controversies over the EU-US Privacy Shield and prospects for the UK remaining a key player in the EU data protection domain. According to a 2015 pan-European poll, 81% of Europeans feel that they don’t have complete control over their personal data, and only 24% of them have trust in online businesses such as search engines, social network sites and e-mail services.