GDPR — Establishing A Fundamental Right, Not Just Regulation
When — a few days ago — conservative politicians in the UK announced their plan to “replace” the General Data Protection Regulation (GDPR) with a new privacy law, I started a short twitter thread explaining why this matters more than many people think [1].
A quick rewind first: The GDPR became enforceable in May 2018. I was working a regtech startup at the time and remember a sense of panic in the air, as many smaller companies had tried to ignore the regulatory changes until the last moment, or had (wrongly) understood it as a “cookie law” style regulation which could be left to the development department.
A few months before the GDPR came into force I was asked — I was apparently considered “the privacy guy in the room”, as a friend phrased it — to give my first introductory talk about the new privacy regulation to some startups. .
The GDPR defines what data should be considered personal and that keeping or processing it requires the consent of the person concerned. Everything else follows from this.
Despite it many words, the GDPR can be summarized in a surprisingly simple way: It defines what data should be considered personal and that keeping or processing it requires the consent of the person concerned. That is it, everything else follows from this.
Dispite it’s name the GDPR is — first and foremost — not a “regulation for businesses”, but establishes a right for everyone to decide what other people can do with their personal data. In fact, the GDPR is an implementation of Article 8(1) of the Charter of Fundamental Rights of the European Union. The article reads: “Everyone has the right to the protection of personal data concerning him or her.”
This is also stressed by the fact that the GDPR does not deal with the location of the business that processes personal data, but with the person whose personal data is affected. It grants a right to every EU citizen.
“Everyone has the right to the protection of personal data concerning him or her.” Article 8(1) of the Charter of Fundamental Rights of the European Union
Since 2018, I have talked to probably a hundred businesses about the GDPR[3] and I have always started out with this very simple principle. The most common criticism of the GDPR I have encountered was the lack of specific instructions contained in the text of the GDPR. This however is exactly because GDPR compliance is a set of instructions for data management, but an attitude to take the right to data privacy seriously and to act accordingly.
I have also always argued that the first step to compliance is to know what data you collect (and you would be surprised how many companies do not know) and how it is processed. In that way, the GDPR did a great deal for data management in general. Finally, a good reason to improve your data management.
Was the GDPR a success?
I would argue it was. The GDPR is not perfect, it is intentionally vague and has of course has not led to a privacy paradise, but it was the first decent approach to guarantee a right to personal data privacy.
When thinking about the GDPR it is also important to remember it’s scope: Contrary to common misconception, it is not an “internet law”. It deals with privacy offline as it does with privacy in the online space. In my experience, it has shifted the attitude in the industry.
No conference where data privacy is not a topic, no discussion about data management without a reference to what is considered personal data and how it must be dealt with. It is a topic in the development department, in management and in board meetings. Even people who have no professional ties to privacy or data protection are aware of it’s basic outline.
It is true that regulators — and that includes the regulator in the UK — have been rather tame and slow, but nevertheless the shift in the industry has happened. The fear mongering which predicted that scores of small businesses owners would be overwhelmed by cost and workload has — of course — also not happened, though it has to be noted that at least some ambulance chasing lawyers have discovered the GDPR for legal harassment.
An attack on a fundamental right
Attacking the GDPR as “bureaucracy” is of course a red herring, it is nothing else than an attack on a fundamental right, the right to data privacy. The GDPR does in fact contain very little “bureaucratic requirements”, especially for small businesses.
Attacking the GDPR as “bureaucracy” is a red herring, it is in fact an attack on a fundamental right
The argument that the GDPR prevents innovation and hinders growth is as old as it is silly. It is the same line of argument that the European Convention on Human Rights is an encroachment of justice, and the same pattern can already be found in the UK’s approach to AI Regulation [4] (which is closely tied to the right to privacy).
And because this concerns everyone, people should take this attack on the GDPR very seriously: It’s not about “the EU”, not about red tape, it’s about taking away a fundamental right using the dumb excuse of economic growth.
[1] https://techcrunch.com/2022/10/03/uk-data-reform-bill-replace-gdpr/
[2] https://twitter.com/mistakenotmy/status/1577200195481526272
[3] Disclaimer: I am not a lawyer and I aim to explain the spirit of the GDPR and what it means in tech, not to give legal advice.
