The General Data Protection Regulation (GDPR) celebrated its fifth birthday recently. It entered into force in the European Union on 25 May 2018 with the purpose to protect the use of Europeans' personal data.
This regulation, the first of its kind adopted in the world, is the consequence of an awareness of the importance and worth of personal data and that with the rise of digitalisation, its collection, processing and use have been facilitated and accelerated.
In Europe, the GDPR is imposed on all those who use our personal data. Examples are numerous, whether it refers to photos shared online, our browsing history and location data, or our health information. In theory, in all cases, the citizen must be informed and agree to the use of the data.
The GDPR also gives citizens the right to compensation and justice if they believe that their data has been used without their consent. This is what has just earned Meta, the parent company of Facebook, Instagram and WhatsApp, a resounding fine of €1.2 billion for the illegal transfer of data of European users to the United States.
Evolving tool?
So, after five years of the GDPR, has the regulation proved its worth?
When approached for comment by the Brussels Times, the office of Wojciech Wiewiórowski, the EU’s European Data Protection Supervisor, supplied us with this statement which suggests that GDPR is just the start of an evolving data protection mechanism at EU level and is not the ultimate tool:
“In order to protect the essence of the rights to privacy and data protection, we need to ask ourselves whether our current framework is delivering on the original ambitions of what these rights meant to us from the outset,” Mr. Wiewiórowski said in his statement.
“And, if, after this assessment, we continue to have doubts, this means that something needs to change. I do not necessarily mean legislative overhaul. Instead, change can mean an increased open-mindedness in the way we set priorities for how we protect individuals," he continued.
Change can mean strong leadership and consistent action, but also a need to be flexible with mind-sets, Wiewiórowski believes. “We inevitably need to be ready for change, because the boundaries of privacy and data protection are continuously shifting...And, we cannot remain static while they do so. We need to react, in one way or another.”
In a recent RTBF article, Jacques Folon, professor at the ICHEC business management school and a GDPR specialist, said that GDPR is only as effective as the authorities that enforce it and that the effectiveness of privacy authorities varies from one state to another.
Not all Member States allocate the same resources to the monitoring of the protection of privacy. "We have data protection authorities that are understaffed. 82% of data protection authorities, in a recent survey, say they should have at least 30% more staff," he told RTBF.
Jacques Folon also believes GDPR is not respected in the same way by all those to whom it is imposed. "The problem in companies is that they often feel like it's something for the big firms to worry about,” he added.
“It is rather SMEs, VSEs, the self-employed, lawyers, architects, doctors who are also subject to the GDPR who consider that it is for Facebook and that it does not concern them. Did your family doctor make you sign a privacy statement? It’s unlikely as there are almost none that do. However, as they process health data, it is mandatory."
What is clear, is that after five years of GDPR, despite much success and improvement, more work needs to be done to enforce its implementation at all levels and to provide the necessary resources to do so. Before data protection can evolve, GDPR should provide a more solid, and widespread foundation than it currently does.
