The take-away
- Strong data protection could slow progress in healthcare: data-driven improvements in this field need as much information as available.
- EU regulations often influence other markets. Some of GDPR’s core ideas could be adopted elsewhere.
“When it comes to personal data today, people are naked in an aquarium.” European Commissioner Věra Jourová was fond of that analogy, but since May 25 it has no longer been true, as Europe’s new rules on data protection came into effect.
The General Data Protection Regulation (GDPR) seeks to protect the privacy of Europeans whose data is accessed and processed not just in Europe but anywhere in the world. With this, the EU has sought to overhaul its decades-old privacy regulations to fit a digitised world increasingly powered by the information that people knowingly or unknowingly share online.
The GDPR’s 2016 adoption by the European Parliament was followed by a two-year grace period, giving governments and businesses time to comply or face massive fines — up to 4% of a company’s annual global turnover or €20 million, whichever is greater.
But not everything about the GDPR is positive. Tim Büthe, chair for International Relations at the Technical University of Munich, an expert on the role of standards and regulations in the governance of global markets, says that while the new regulations will undoubtedly boost transparency and privacy protection, there may be a cost to society.
“It is surely good to raise public awareness of the risks of carelessly sharing personal data”, says Büthe. “However, data-driven improvements in such areas as public safety and healthcare actually require comprehensive data sets.” The chance to boost public health by learning from a full set of data instead of the “normal” middle could be diminished. He explains: “If strong data protection leads to biased or skewed data, such as when a small number of very healthy or sick individuals withhold their health data by not opting in, many others may be deprived of substantial benefits.”
Data lag
Some experts believe that enforcement may start slowly, with many companies still scrambling to comply with the infrastructure, personnel and data-use changes required. Nations across Europe differ widely in preparedness: data-sensitive Germany’s authority was ready well in advance to enforce the GDPR, while eight EU countries from Belgium to Bulgaria were lagging.
One of the areas potentially causing headaches for businesses is the right to “data portability” enshrined in the GDPR, giving people the right to receive or transfer their personal data in a structured, commonly-used and machine-readable format.
Take AI-assisted driving, where data on driving habits may be stored in a system owned by a car’s manufacturer. If you can’t take your data with you the next time you buy a car, you would be locked into buying the same brand again or risk being less safe behind the wheel.
Despite the importance of data portability, Büthe says that offering compatible data is easier said than done, since firms use different formats and conceptual models.
Exporting accountability
Commissioner Jourová says that the time for leniency for companies making money from European citizens’ data “is over”. She believes that the fears of undue difficulties for non-data-driven EU companies are exaggerated. “The others should use their common sense,” says Jourová. “The data-protection authorities are not just sanctioning machines, they are also there to support companies to be fully compliant.”
Büthe believes that such global firms as Facebook will find it relatively easy to comply since they are accustomed to “linking up lots of data”, and that the hefty fines involved make it unlikely that foreign firms will be less compliant.
While the GDPR is unlikely to inspire change in data-hungry countries like China, it may be adopted elsewhere. Says Büthe: “The EU often has leverage beyond the Common Market; its regulations can set norms for much of the rest of the world. But data protection is an issue that even within Europe runs up against a variety of different cultures, and globally that’s even more so the case.” He adds: “I don’t think the US will create a regulation quite this extensive, but the EU putting these rules in place might increase support for many of the GDPR’s core ideas.”
GDPR: the main changes
Increased transparency
Companies using any personal data must provide transparent, readily accessible and easily understandable information about how the data will be used.
Heavier sanctions
Noncompliance can now lead to fines of up to €20 million or 4% of global turnover, while data subjects can also sue for damages.
Clear consent
The consent given by data subjects must be explicit, not taken through inactivity or pre-checked boxes, and able to be withdrawn at any time.
Data Protection Officers (DPOs)
Independent DPOs must be appointed for all public authorities and for bodies whose core activity involves large-scale data monitoring or processing.
Territorial scope
The GDPR applies to anyone accessing the data of people in the EU, regardless of where a firm is based. Data transfers to countries without adequate data protection are prohibited, as are external orders for EU companies to disclose personal data, unless covered under international agreements.
Enhanced rights
Individuals have the right not to be subject to a decision based on data profiling (in certain circumstances), the right to be forgotten with data erasure, and the right of easy access to and portability of their data on demand.
Breach notification and legal liability
Data controllers must notify authorities and subjects of data breaches within 72 hours, and data processors may be held legally liable for breaches.
One-stop shop
For clarity, multinational companies will be regulated primarily by the national supervisory authority in the country in which they have their “main establishment”.
Privacy by design, default, assessment and accountability
Data controllers must conduct Data Protection Impact Assessments before undertaking high-risk data processing, retain records of all activities, and ensure that systems are designed so that any personal data processed protects individuals’ privacy rights “by design” and “by default”.