CHAPTER ONE – INTRODUCTION AND OVERVIEW
The GDPR or, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), to give it its full title is part of a general drive to increase the controls applicable to individuals personal data.
While aspects of the GDPR have been met with howls of protest from business and it has been called impractical and an unreasonable control on business this is probably unfair. Some of the criticisms stem from misunderstandings and hysterical reporting of the restrictions. Additionally, the GDPR should be seen as part of a global drive to increase the restriction on the way business makes use of personal data. Since the GDPR came into force in Europe its provisions are being mirrored in locations as geographically diverse as California (through the California Consumer Privacy Act) and India (in the Personal Data Protection Bill). It should also be seen as an effort to bring data privacy up to date with the incredible pace of change of the internet and introduce some curbs on the ability of large multinationals to collect and process huge volumes of personal data on individuals.
The core aims of the GDPR are:
to ensure that individuals have a very clear idea of what is being done with their data and by whom;
to ensure that individuals have effective powers to exercise control over their data;
to prevent evasion of legislation by moving data out of the jurisdiction;
to ensure that data is processed only to the extent that is necessary and with a clear eye to the risks of that processing;
to allow easy processing of data where that is beneficial to individuals;
to create an enforcement regime which provides for effective penalties where the rules are breached.
The GDPR works primarily by creating a new concept of the Data Subject who is then provided with specific and detailed rights. A Data Subject can only be an individual, a natural person, and never a company or other legal entity. By doing this the GDPR creates a new series of rights for individuals over their own Personal Data but without impinging on the existing system of property rights, intellectual and otherwise, of those organisations who have collected data and analysed it. Therefore it is still possible for companies to trade in and own data but individuals can maintain their control over it. This compromise between property rights and Data Subject rights is imperfect but was almost inevitable given the very large and powerful organisations that now control so much of the world’s data. In fact, the balance created by the GDPR is one that is being followed elsewhere and ultimately is likely to become the model for data protection everywhere in the end.
The GDPR- An Overview in the UK
The GDPR, like all EU regulations, has direct effect within the UK, at least until the point at which the UK chooses to leave the EU fully. However, the GDPR has also been implemented more directly as a UK Act of Parliament through the Data Protection Act 2018 (DPA 18). This Act specifically names the GDPR and incorporates it within UK law in such a way that it will continue to be a part of the law of the UK independently of our membership of the EU. However, where the GDPR stands longer term is open to doubt. In a written statement made on 3 February 2020 the Prime Minister indicated that the UK would look to develop its own separate policies for data protection, among other things.
The GDPR is very much a risk-based system. Processors of data are encouraged to carry out risk assessments as to their activity and the potential risks to both security and the rights of individuals. This places a heavy obligation on business to ensure that they are complying with the GDPR. This is because the GDPR operates by making general statements of what needs to be achieved but exactly how business does so is something that is for them to decide.
When looking at the GDPR it is important to give some consideration to its nature when reading it. Like all legislation which emanates from the European Union it needs to be considered as a whole as well as in parts. The recitals that act as an introduction to the GDPR need to be read with some care as they provide a great deal of additional information that both modify the understanding of the main articles and add a great deal of important detail. Then for each area it is necessary to consider the DPA 18 which then modifies parts of the GDPR by providing various derogations and limits on its scope. Finally, because the GDPR aims at general statements it is then useful to review the guidance provided by the European Data Protection Board (EDPB) as well as guidance produced by its precursor body the Article 29 Working Party (Art 29 WP)and for a more UK specific view the Information Commissioner’s Office (ICO) to gain assistance in interpreting the provisions in practice. This is quite an involved process and in practice most people will short-circuit this by heading straight for the guidance on the ICO’s website. However, it is worth bearing in mind that the ICO’s views as expressed on their website are just their views and ultimately it is the courts that will give the final view as to how the GDPR should be interpreted. The ICO’s guidance is also quite summary and generic in nature and for a better understanding of how the GDPR should be applied in a specific situation other guidance is useful.
The GDPR has a purposely wide ambit. Unlike previous data protection regimes in the EU which only applied within the EU the GDPR applies to any Data Controller processing Personal Data about an EEA national, regardless of where they are based or where they do the processing. This extra-territorial scope, applying the GDPR to any person providing goods or services within the EEA or monitoring the activities of EEA citizens is found in other recent privacy legislation. The California Consumer Privacy Act also seeks to apply to any organisation doing business within the state of California, regardless of where they are ultimately based. Naturally, there is some question over how enforceable any of these rules are in practice but the general principle that they are seeking to espouse holds good. The key point is that it is not possible to avoid the GDPR simply by moving data out of the EEA.