David Martin, Senior Legal Officer at the European Consumer Organisation, outlines what the new General Data Protection Regulation means for consumer trust
On 5 May 2016 the new European General Data Protection Regulation (GDPR) was published in the European Union’s Official Journal, marking the end of a long and complex legislative process that lasted over 4 years. The GDPR will be directly applicable in all EU countries from 25 May 2018.
Goodbye to patchwork of privacy protection rules
This new regulation is good news for consumers. They will have more information about what happens with their personal data online. It also gives consumers greater control over how, when, by whom and for what purposes their personal data is collected and used.
The adoption of the GDPR is a positive development for the EU’s Digital Single Market. The current patchwork of national data protection laws developed to transpose the 1995 EU Data Protection Directive will be replaced by a single piece of legislation, directly applicable all across the EU. This should make it easier for businesses to operate in the EU. It should also result in more coherent and efficient enforcement of the rules by national data protection authorities.
The GDPR will boost consumer trust in digital services and ensure that the online marketplace develops in a way which is respectful of our fundamental rights and values.
Meeting today’s challenges
The EU needed a modern and unified legal framework to face the privacy challenges posed by the digital revolution. The present is digital and the future will be even more so. Technology and ‘big data’ are transforming our societies, changing the way we live, the way we work, even the way we think and take decisions. The predominant internet business models are built around the monetisation of consumers’ personal data.
Yet, consumers remain oblivious to the massive collection, processing, storing and monetising of their data. All they encounter are the never-ending and unintelligible terms and conditions, which are difficult to read, even more difficult to understand, and often do not come close to what is actually going on inside the ‘black box’. Terms and conditions often do not even respect basic consumer and data protection rules. Yet, the only real option is to click ‘I agree’, as the case of the recent changes in WhatsApp and Twitter’s privacy policies has illustrated.
Principle-based evolution
Privacy concerns are only likely to grow as technology, big data and connected devices become even more predominant in our lives. From a consumer perspective, the GDPR is not a total revolution but a much needed evolution. It builds upon well-established principles and elements of EU data protection law and seeks to adapt them to a new technological reality – giving people greater control and transparency.
The GDPR introduces quite detailed obligations in terms of the information that has to be provided to consumers when their data is processed. It also reinforces existing consumer rights such as the right to object to the processing of your data, the right to access your information and the right to have it erased.
The regulation also establishes new rights. Worth highlighting is the right to data portability (i.e. consumers have the right to take their data with them when they are switching from one service to another). There are also stricter rules on how to seek consumers’ consent for the processing of their personal data. Consumer redress mechanisms have been improved. Consumers have the right to compensation for material or immaterial damages when their rights have been breached.
Another new element is an obligation for companies to abide by the principles of privacy by design and by default. Privacy must be embedded in every step of the development of a product or service and the strictest privacy settings must be set on by default when a consumer uses a new product or service. The GDPR will apply to any company offering goods and services to consumers in the EU or monitoring consumers’ behaviour in the EU, regardless of the company’s nationality or whether it is established in the EU or not. The powers of national data protection authorities have also been strengthened to make sure that all companies, big or small, comply with the rules. Consumer organisations will also be able to play a greater role defending consumers’ privacy.
All these new rules shall help build trust in digital services and technology, foster the development of privacy friendly technologies and help consumers to safely enjoy the individual and collective benefits of the digital revolution without compromising their fundamental rights.
Overall the GDPR opens a new chapter for privacy protection in the EU, but this is just the beginning. The story now shifts towards how to apply the GDPR in practice. The battle for consumer privacy continues.
David Martin
Senior Legal Officer
The European Consumer Organisation
Tel: +32 2 743 15 90
