Data protection law is going global, and the European model seems to be the one to follow. For example, the law that is being enacted in India has many features that are present in the GDPR. There is debate going on in the US about whether they should bring in federal data protection law based on the European model. There are already various US state-level, sectoral laws that have GDPR-style features.
The assumption seems to be that European data protection law is the most comprehensive and the strongest. Therefore, it provides the best protection to individuals and the most effective safeguards against informational bad behaviour by the corporates and the state. But is the GDPR really that good? How effective has it been and how much has it cost? Would it be better to start from founding principles?
Should the GDPR be seen as the gold standard?
There is a lot of baggage that goes with the adoption of European-style data protection law and despite its prescriptiveness, there’s still room for interpretation. Compared to the law it replaced, the GDPR is very detailed because legislators believed that a more prescriptive law would prevent lax regulators – who want to go easy on the nasty tech companies – from interpreting the law’s principles in an overly permissive way. However, the theory doesn’t work and the ‘risk’ thresholds (‘large scale’, ‘systematic’, ‘occasional’ etc), that aimed to make the GDPR’s compliance burdens scalable and proportionate, have given regulators and organisations considerable leeway to interpret the legislation in a relatively strict or light-touch way. It also means that organisations can hardly ever be certain whether they are compliant or not. Maybe that’s inevitable, with a piece of law that is based on admirable but vague principles.
Along with its prescriptiveness, the European Data Protection Board is also intended to ensure a high quality (or tough, or inflexible – depending on how you see it) standard of data protection across Europe. This board consists of representatives of all the EU data protection agencies (EEA countries take part too, but with observer status) and is meant to deal with significant cases that involve the processing of information about people across Europe. Ultimately, any disagreement within the agencies about the ‘measures’ to be adopted in a particular case can be resolved by a majority vote.
Looking back, some years ago there was disagreement between the agencies about Google Streetview, which was being launched in Europe at the time. The views ranged from ‘it’s just pictures of streets and houses and it’s not personal data anyway’ right through to agencies that wanted an outright ban as photographing someone’s house is as intrusive as taking possession of their soul – with every variant in-between.
If the Streetview matter had happened under the EDPB and there had been a vote, Streetview would probably have been outlawed across Europe. Some might consider that a good outcome, but the very many people who use Streetview, apparently with no negative effect on their own or anyone else’s privacy, probably wouldn’t.
If countries outside Europe really do want to follow European data protection standards, then presumably they will also need to be strongly influenced by EDPB and EU court decisions. They need to be careful what they wish for, and should consider the potentially negative impact of hostile regulatory or court decisions. An over-zealous application of the GDPR’s prior checking provisions, for example, could be very problematic for technology start-ups offering new personal information-based products or services. (It will be interesting to see how closely the ICO follows the European lead once the UK ceases to be a Member State.)
Would it be better to start from the basics?
Modern data protection law started in the UN following WWII. The law has always been based on the same principles – individuals’ rights, purpose limitation, transparency, data quality, security and so forth. Most people would probably agree that they should normally have a right of access to information about them and that they should generally know what organisations are going to use their information for. They would probably also agree that information should be accurate and kept secure. However, data protection law has expanded enormously from the basic principles of its foundation. If there is going to be international convergence around data protection law then it might be a good idea to start from those principles, rather than amending the GDPR, for example by adding some additional ‘special’ data classes, as they are doing in India.
There are certain aspects of the GDPR whose removal would simplify matters no end. For example, the ‘legal bases’ system has never worked well in UK-style legal systems – it adds a layer of complexity that offers individuals little or no protection, particularly in respect of private sector organisations. In many years at the ICO, I cannot remember any action being taken against a private sector organisation purely on the grounds that it could not identify an appropriate legal basis for its processing activity. In reality, this is largely an academic issue.
An associated problem is the ‘ordinary’ versus ‘special’ personal data categorisation – and the need to identify additional legal bases and implement more stringent compliance measures for the latter. This again introduces an unnecessary layer of complexity. This part of the ‘system’ has never worked well in practice. Is there really anything particularly sensitive or ‘special’ about an employer recording that someone is off sick with a cold? Why aren’t financial details, whose loss or corruption can have a significant and immediate impact on people, subject to special protection? (Real sensitivity depends on context, not just on data-type.)
Removing the law’s ‘legal basis’ and ‘special data’ elements – its impenetrable terminology and data transfer rules also need reform - would make the law considerably simpler and allow organisations to focus on the law’s rights and principles. On the whole, these have stood the test of time well and they are accepted by organisations and welcomed by the people whose information they collect.