On 12th March 2014, with a vast majority of votes (621 in favor, 10 against, 22 absentees), the European parliament demonstrated strong support for the proposed draft paper of the General Data Protection Regulation (GDPR), adopting the final version in April 2016 and coming into effect on the 25th May 2018. This year, GDPR will celebrate its 4th year in existence. Do we consider it a success story?
Known as the toughest privacy and security law in the world, GDPR is simultaneously one of the most wide-ranging pieces of legislation passed by the EU. It contains 99 articles and embodies the much needed, updated version of the previous 1995 Data Protection Directive. Unlike a directive, which allows member states to customize the law and tweek it to their needs, a regulation binds all EU member states to comply.
As the world wide web has gained in popularity, so has the misuse of personal information of citizens by governments and large firms or organizations for, as defined by some, unethical purposes. An example of gross violation of personal data protection is the infamous misuse of 87 million facebook users’ data for political campaigns of Donald Trump and Ted Cruz by Cambridge Analytica in the 2010s. The GDPR was drafted precisely to prevent similar types of digital privacy breaches. It protects the rights of individuals to privacy without compromising their data stored by any organization, state institutions, or utility companies. GDPR has become a vital part of EU privacy law and the human rights law within the Charter of Fundamental Rights of the European Union. Not only does it impose ‘’obligations onto organizations anywhere, so long as they target or collect data related to people in the EU’’ (Proton Technologies AG, 2022), it also serves as a renowned template for digital privacy policies of non-member states. The GDPR allows us to make choices about what type of information we share and with whom. This does not only concern within-Europe data transactions. In fact, any usage of EU citizens‘ data is to comply with GDPR, irrespective of the location.
There are 8 rights of individuals under GDPR. These include: right to be informed, right of access, right to rectification, right to erasure/to be forgotten, right to restrict processing, right to data portability, right to object and rights in relation to automated decision making and profiling. Two major protective rights should be highlighted. The first one is the right to be forgotten. If a citizen of the EU decides to go ‘’off-grid’’ the citizen has the right to demand the erasure of his/her digital footprint. Secondly, the right to data portability allows citizens to obtain and reuse their collected data individually, for their own purposes, or to directly request a controller to send their personal data to another.
If any organization performs a breach of GDPR they can be fined up to 4% of their annual turnover or €20mil, depending on which amount is higher. As of 8th February 2022, 907 fines have been distributed ranging from €28-€746mil. The most recent fine (26.01.2022) of €152,000 was served to the Uppsala hospital in Sweden for sending unencrypted sensitive personal health data to third parties both in Sweden and abroad. Additionally, the hospital was storing this data directly on Outlook. Furthermore, even individuals can be fined. In Spain, an individual was fined €1,500 for installing video cameras in the apartment building where he resided, recording common areas as well.
All in all, the GDPR has led to positive changes in company policies, increased control over the usage of personal data and limited intrusion into the private lives of EU citizens through their data.
- Heine, Ilse. “3 Years Later: An Analysis of GDPR Enforcement | Center for Strategic and International Studies.” Center for Strategic and International Studies |, 13 September 2021, https://www.csis.org/blogs/strategic-technologies-blog/3-years-later-analysis-gdpr-enforcement. Accessed 19 March 2022.
- Information Commissioner’s Office. “Right to data portability.” ICO, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/. Accessed 19 March 2022.
- Proton Technologies AG,. “GDPR Archives – GDPR.eu.” GDPR compliance, https://gdpr.eu/tag/gdpr/. Accessed 19 March 2022
- Zisk Web Ltd. “GDPR Fines List: Find all GDPR fines & detailed statistics.” Privacy Affairs, https://www.privacyaffairs.com/gdpr-fines/. Accessed 19 March 2022.