GDPR: A global mentality shift towards personal data
by Efi Thoma, Lawyer LL.M.
Data is incontestably the new gold! In the new digital era, personal data of individuals is being collected, processed, and transferred around the globe from companies and organizations involved in this process, without the individuals’ prior knowledge and explicit consent. The companies and organizations that collect and use such data, have a competitive advantage and strengthen their market position by analyzing this data. Data may be even sold to third parties worldwide, without neither the prior knowledge of the individuals concerned, nor their “unambiguous” consent. The new General Data Protection Regulation (GDPR) constitutes a huge breakthrough in privacy laws, leading to a drastic transformation of the privacy landscape on a global scale. It is not just the GDPR large fines in cases of breaches or serious non-compliance that make the difference, it is the new culture of awareness that is being established regarding personal, and namely sensitive data, as well as the notion of the protection of privacy and integrity of individuals in order for them to start feeling less comfortable with providing easily personal information, by just assuming that this is acceptable.
Pursuant to GDPR, once individuals consent to have their personal data processed by an organization, they automatically become “data subjects”. Their privacy has been essentially strengthened by the right to be informed, to access their data, to rectification, to erasure, to restrict processing, to data portability, to object and to restrict automated decisions and profiling, and the right to know when their data has been hacked. Thus, European residents enjoy the guaranteed rights to determine whether, when, how and to whom their personal information is revealed and how it can be used. Notwithstanding the comprehensive data protection framework provided by GDPR, enterprises’ successful compliance with the latter, and the key role of Data Protection Authorities (DPAs) in interpreting and enforcing GDPR’s provisions, as well as their effective collaboration, the key factor that shall determine the accomplishment of GDPR’s aim lies within individuals’ informed approach towards their personal data. It is imperative that European residents engage proactively and collaborate with DPAs towards GDPR’s de facto application. For example, it is important to know that they may file a complaint with the Data Protection Authority and to seek a judicial remedy, in case their above rights are being compromised or denied.
GDPR’s primary objective is to ensure the growth of the digital economy while keeping personal data of EU citizens secure and protected. It particularly aims at the enforcement of personal data safeguards and has a direct impact not only on the EU countries, but also globally with regard to enterprises engaged in economic activity associated with the collection and/or processing of personal data of individuals located inside the EU. US companies which may have adhered to the EU-US Privacy Shield which provides a lawful basis for transfers of personal data from the EU to US organizations, in order to be GDPR compliant, must meet much stricter requirements. The Privacy Shield reflects the requirements set out by the Court of Justice of the EU in its ruling of October 2015 (“Schrems”), which declared the old “Safe Harbour” framework invalid. A sustainable GDPR compliance is undeniably a challenging task for enterprises worldwide and entails an indisputable shift in mentality regarding the perception of personal data. EU should share its values on privacy and personal data protection in the international domain and build strategic partnerships with likeminded countries. An ambitious step for EU is a UN-Treaty ensuring a minimum standard of data protection.
Previous initiatives launched by the European Commission, such as “Citizens First” seeking to promote EU citizens’ rights by providing practical guidance, succeeded in raising awareness and exchanging best practices between EU countries. Ultimately a change in mentality, notably in the importance of valuing personal data, is required in order to transform this robust legislative framework into reality. Regardless of the mandatory nature of GDPR and its direct application throughout the EU, if individuals do not feel empowered to effectively exercise the rights stemming from it, it shall remain a hollow statement. Rights are guaranteed not by the existence of laws but by their enforcement. It is a unique opportunity to take control of our personal data and uphold our fundamental privacy rights. (firstname.lastname@example.org)