The Impact of the GDPR
After four years of preparation and debate the EU’s General
Data Protection Regulation (“GDPR”) was finally approved by the EU Parliament
on April 14, 2016, coming in to effect on May 25, 2018. Nine months after its
enforcement, this article seeks to examine its impacts on individuals as well
The aim of the GDPR is to protect all EU citizens from
privacy and data breaches. To be protected under the GDPR, you have to either
be a citizen of EU or be located in the EU, no matter where you are from.
GDPR protects privacy rights of data
subjects, including Right to Access, Right to be Forgotten, and Right to Data
The Right to Access provides for data subjects’ right to
obtain confirmation from the data controller on whether their personal data is
being processed, where and for what purpose. The controller also needs to provide
a copy of the personal data in an electronic format.
The Right to be Forgotten/Right to Erasure is protected by
article 17 of GDPR and entitles the data subject to have the data controller
erase personal data, cease further dissemination and potentially have third
parties stop processing the data. This provision requires the data controller
to compare the subjects’ rights to the public interest when considering such
requests to erase personal data.
The Right to data portability, under article 20, stipulates
data subjects’ right to receive their personal data from a controller and to
have the data transmitted to another controller. In other words, if you wish to
move to a new social media platform, you can directly request your personal
data be transferred to another company when it is technically feasible.
Organizations disregarding these rights of data subjects and
thus are in breach of GDPR can be fined up to 4% of annual global turnover or €
20 Million (whichever is greater).
GDPR takes a tiered approach to fines; for example, a company can be fined 2%
of its annual global turnover for not having their records in order or not
notifying the supervising authority and data subject about its breach.
These rights of individuals along with other privacy rights,
are further protected by the extended jurisdiction of the Regulation, as it
applies to all companies processing the personal data of data subjects residing
in EU, regardless of the company’s
location. This extraterritorial applicability, along with potential huge fines,
is contrived to prevent global technological companies from infringing upon EU
citizens’ rights protected under GDPR.
Individuals and NGOs concerned about increasing capability
of private companies and government bodies to collect and process private
information online enthusiastically lauded the enactment of the Regulation with
The torrent of data-related scandals in 2018 which drive new popular awareness
of popular issues incited this enthusiasm further. Indeed, NGOs and individuals
have filed series of complaints aimed at companies like Google, Instagram,
WhatsApp and Facebook, along with other tech companies.
Even before key enforcement decisions on these complaints, GDPR inspired government
authorities and lawmakers around the world. For example, Chile amended its
constitution to include data protection rights, India’s legislators introduced
a draft of new legal privacy framework with broader range, and Brazil passed
its own GDPR-inspired bill.
However, the popularity and the wide powers of law do not always result in its
intended consequences—in this case, better protection of individuals’ privacy
rights and freedom. In Romania, for example, the data protection authority has
already made use of the Regulation to threaten journalists investigating
corruption and to force them to reveal their sources.
Others are also concerned that GDPR would impose undue
burden to businesses operating inside and outside of the Union. The Right to
Data Portability requires companies to provide individuals their information in
a structured, commonly used, and machine-readable format. This is necessary in
order to make one’s data easily transferrable to other companies at the request
of the data subjects. In addition, compared to huge tech companies such as
Facebook, Google and Amazon, small and medium-sized businesses would have much
less resources to pour into their tech and legal teams for compliance and would
be more vulnerable to potential fines and penalties. This could deter emerging
businesses from operating in the region, and present a huge obstacle to future
innovations. Indeed, some pointed out that GDPR could create roadblocks for
companies from making use of any data that may fall under the regulation to
develop blockchain technology.
In addition, companies have found ways to circumvent the
Regulation, sometimes at the expense of the consumers. When GDPR came into
effect, one of the immediate reactions of numerous U.S. websites was to deny or
restrict access to EU
visitors. Clearly, they were not ready to prepare for GDPR compliance,
despite the two years of time given before the regulation was enforced. Moreover,
companies have found ways to avoid GDPR’s reinforcement of the conditions for
consent that reques the request for consent given in an intelligible and easily
accessible form. Consumers are now being
confronted with “consent management” pop-ups enabling consent with one click
but imposing an obstacle for future course for those who want to refuse.
It has become increasingly important to secure individual privacy and data security in the face of advancement of technology and the capability of huge tech firms to make use of the data, sometimes without data subjects’ knowledge. However, it is also important to recognize possible drawbacks and limitations of harsh measures for protection before hurriedly employing such legislations, simply inspired by GDPR. Given the relatively short history of the Regulation, it seems to be more prudent approach to observe and analyze the consequences of GDPR and how the EU deals with those consequences before adopting any drastic measures.
Kenneth Kim is a J.D. candidate, 2020, at NYU School of Law.