Data protection: Europe might be getting it righter

Data protection law in Europe dates from the mid-1990s, before Google was founded, ten years before anyone invented cloud storage, and when most personal data was stored on paper, or in isolated mainframes.

Over three years ago, the vice-president of the EU published proposals for a General Data Protection Regulation (GDPR) which have ground their way around the internal organs of the EU ever since. Finally, in the last few days, both the Council of the EU and the European Parliament have adopted the GDPR, and it is set to come into force.


The next step is for the GDPR to be published in the Official Journal, which is the record of directives, regulations, and other legislation in Europe. This should occur in the coming days or weeks. Twenty days after its publication there, the GDPR comes into force, but it allows a period of two years before its provisions have the effect of law.

In practice, this means that Europe should be undergoing transition to the new law from this summer until mid 2018. Clearly there is no rush to protect our data and privacy, although national legislation to remove privacy, such as the UK’s Investigatory Powers Bill, can be swept through in just a few months. It’s just a question of priorities, I suppose.

What does it change?

No one seems entirely clear on that; as the last version of the GDPR is over 100 pages long, and intended not just for current internet usage but for many years to come, there must be many changes. But different sources say different things, and until the final version of the GDPR has been published, scrutinised, and debated, we won’t really know.

Wikipedia’s entry is worth reading, although it is based on previous drafts of the GDPR. It lays emphasis on the following:

  • the requirements of the GDPR will apply to all organisations and companies which are based in EU states, and to all organisations and companies worldwide who handle personal data of EU citizens;
  • a single set of rules applies to all, and there are no differences between states, or even for organisations and companies which are based wholly outside the EU;
  • privacy settings default to very high, and must be designed into all systems which handle personal data;
  • valid consent must be obtained from individuals, and the information given to them must be explicit; those under the age of 16 must have verifiable consent obtained from their parent or guardian; consent must be opt-in, and may be withdrawn;
  • all data breaches must be reported ‘without delay’ to an official EU state supervisory authority, and individuals must be notified if any adverse impact is determined;
  • a right to be forgotten may replace a right to erasure: this is not yet clear;
  • individuals have a right to transfer their personal data from one processing system to another, using a structured and generally-used format;
  • fines for non-compliance can be as much as €20 million, or greater for large enterprises.

The European Commission’s account is different in parts, and has not yet been updated to reflect the final version of the GDPR as will be published shortly. It places a lot of emphasis on the right to be forgotten, and relatively little on applicability to non-EU businesses, which rings some alarm bells.

Another very important area which is not mentioned anywhere is the problem of data aggregation: where someone can add together two or more collections of anonymous information, and identify individuals whose personal data they have been drawn from.

So this is good news?

Yes, and no. If the final version of the GDPR does include the above provisions, it will go a long way to addressing many of the issues which I have raised in other articles here, and which many others have raised.

The biggest problem is likely to be enforcement. It is all very well telling a corporation which operates entirely outside the EU that it will be fined very large sums if it does not comply, but enforcing that is going to be much harder. This may be why the European Commission is placing little emphasis on what would otherwise be a major change: remember Ashley Madison and other non-EU breaches?

But aren’t the EU sorting out equivalent protection in the USA anyway?

Ah – you’re thinking of the Safe Harbour Scheme which lay in tatters late last year. That work is being progressed by the Article 29 Working Party (because it concerns Article 29 of the original EU Directive 95/46/EC), and is now called the Privacy Shield scheme. Unfortunately, the latest statement from that Working Party is not encouraging. Essentially the current Privacy Shield proposal still falls well short of what is required under existing antiquated EU law.

Furthermore, the Working Party points out that, now that the GDPR will come into full force in 2018, a full review of the compliance of any such scheme with the GDPR will have to be undertaken. If the GDPR does improve data protection, that almost certainly means that any scheme drawn up to (almost) comply with the old legislation will fail to meet the requirements of the new law.

So the good news is that EU data protection law is at last changing for the better. But not for the next two years, and no one knows whether it will work.