One year after its commencing effect, we see a lot of overview articles highlighting what happened with GDPR in its first year. Loads of breaches, plenty of guidance, the first major GDPR fine issues by CNIL, panic, denial and still lots of fear, uncertainty and doubt. But what was the GDPR about in the end? The short answer can be easily found in the full name of the regulation.
Its full title reveals that the GDPR concerns the protection of natural persons in regard of the personal data about them, and the free movement of these data. The early predecessors of the European Union were a peace project disguised as an economical one. The European Union is not only about a single market, but also about protecting the fundamental rights of its citizens.
So, when the 1995 data protection Directive replaced by a Regulation commencing effect in May 2018, this was an important step in unifying the member states’ legal regimes. Up till then, Member States could issue their own privacy legislation, which had to be in line with the contents of the Directive. With a Regulation, there should be true clarity about the rules. This is what unification should discern itself from harmonisation.
However, there are areas which are not subject to EU rules, and there is political compromise, and there is a mix of them called ‘subsidiarity’. This led to dozens of exceptions emanating from the GDPR, e.g. on the handling of certain categories of personal data. Therefore, national legislators can still issue rules on data protection. What is more, national supervisory authorities issue their own guidance.
They can also draft their own lists of, e.g., processing activities triggering obligatory DPIAs. It is the price we pay for being a federal Europe. Regretfully, these rules and exceptions really do not help suppliers of goods and services to operate cross-border and thus promote the functioning of the internal market. Still, these ex are trivial in comparison with the absurd side ‘effects’ of GDPR commencing effect over the past year. To name four of them:
- A tsunami of e-mail newsletter consent requests. However, it is primarily the ePrivacy Directive that has something to say about this. This Directive was issued in 2002. Well, OK, consent requirements have become more stringent under the GDPR, but only part of the absurd number of consent requests for e-mail newsletters would have been necessary.
- A large number of websites shutting down their operations for EU citizens. Not only could we not access some US newspapers anymore, a provider of ‘smart’ light bulbs (Yeelight) shut down its operations as well. After smart speakers listening in with private conversations, this is just another trigger to keep well away from the internet of things.
- GDPR turning into fake news. I doubt whether we ever heard so much bullshit on a legal topic ever before as over the past year. Countless wannabe ‘specialists’ making claims about a law they clearly know nothing about. Some of the statements: GDPR is entirely new, small companies are exempted, consent is always required. They are all fake news.
- Assuming ridiculous consequences. Such as: blurring out all class mates on a class photo except the child that takes the photograph home. Because GDPR. Not being able to tell a clinic treating a convicted sex offender that he is a sex offender. Because GDPR. Not being able to share pictures and messages involving different people. Because GDPR.
What is the conclusion from these examples concerning the real purposes of the GDPR? One may safely assume that the people drafting and approving GDPR are not insane. GDPR is not about hindering people, making people’s lives into a compliance hell, or about protecting criminals. It is just an, admittedly vast, set of rules protecting our privacy interests and promoting the internal market.
All the consent e-mails, shut-down sites, fake news and misinterpretations cannot be blamed on the instrument itself. The truth is that the GDPR sheds more light on cross-border operation of companies and organisations involving personal data, because one does not need to scrutinise national legislation in many cases anymore. The multitude and relative vagueness of the new rules are simply the price we have to pay for that.