May 25th, 2018 is going down in history as the day when things have changed on The Internet. It is the day when General Data Protection Regulation (GDPR) is finally coming into effect across the entirety of European Union.
Even less than a month before this great event - it is absolutely obvious that GDPR full implementation is a game-changing moment in the long and winding issue of the internet privacy that was dwindling out of control in the recent years.
General Data Protection Regulation aka GDPR is the result of six and half year quest to make sense and justice to the basic principles of data protection.
GDPR is a set of rules designed to give users more control over their personal information and impose transparency and accountability of the companies who gather it.
For years attempts to update data protection laws had struggled with lack of awareness and demand of the public, the unwillingness of the companies to abide by and relentless static of the politicians.
The most recent GDPR predecessor - Data Protection Directive, was implemented way back in 1995 and it is fair to say that it didn’t age well. The problem was that its instruments of influence became outdated and ineffective at the current time.
However, it served as a fine foundation. DPD clearly stated the basic thing - the individuals have ownership rights over their personal information after they’ve shared it with the third party company in exchange for certain services. But the biggest flaw of the DPD was that it was merely a directive and as such, it was interpreted differently by various members of The Union. On the other hand, GDPR is a regulation. That means it is a unified set of rules implemented by the supervisory authority among all the members of the European Union.
In essence - General Data Protection Regulation was designed to make sense and bring some form of an order to the user-service provider relationship. It is all about bringing the transparency, responsibility, and trust in the relationship between the users and various companies who collect their data in exchange for seemingly free services.
For the users, new data privacy laws give the control over their personal data and provide them with legal instruments to demand its removal, correction or simply an explanation of the purposes of its use.
On the other hand, GDPR makes companies accountable for their actions and responsible for the safety of information from malicious intent or leakage.
Another important thing is that GDPR introduces rather a harsh system of penalties designed to humble those who don’t want to play by the rules or act careless enough to expose their systems for malicious intent or data breaches.
The motivation behind the adoption of GDPR is rather obvious - European Union badly needed to a legislation that would reflect and regulate how people’s personal data is used by various companies, especially those who offer their services for free in exchange for some gathering data from its users (such usual suspects as Google, Facebook, Twitter, Amazon, etc).
For a while the problem with privacy and information security regulation was pitifully dependent on “the kindness of strangers” - there were no solidly defined rules regarding terms of personal data usage. Basically, companies could do whatever they wanted with the gathered data and there were no legal instruments to deal with stretching the boundaries of data privacy.
However, recent data breaches and illicit user gathering scandals (such as Equifax Leak or still ongoing Cambridge Analytica scandal) raised the awareness on the subject considerably up to the point it became painfully obvious that current legislation simply can’t handle such problems.
To put it bluntly, 1995’s Data Protection Directive was absolutely inadequate for the current state of things and it was like that for a long time. In fact, DPD was way past its selling date by the early 2000’s - it was in dire need of either significant update or complete replacement. Years of pretending that nothing is happening combined with the blatant ignoring of taking action on the burning issue resulted in awkward playing catch-up with the reality.
Among the things that were updated and reiterated where expansion of the definition of the personal information and further elaboration on the rights and responsibilities of the parties involved in data processing.
Back in January of 2012, the European Commision had announced their intentions to substantially update data protection policies across the European Union. GDPR was designed as the centerpiece of the reform. It took four years to get it right and finally in April 2016 it was adopted with a two-year period of transition and preparation for its coming into effect this May.
While GDPR is far from the best solution - it is already something and it is “better late than never” kind of situation. At least now we have something. The timing couldn’t have been any better because of increased awareness of the importance of privacy and security.
It is a big achievement considering the turbulent history of previous attempts of developing privacy regulations and absolute uncertainty with the future of privacy on the internet.
Stay tuned - we have prepared a series of posts on GDPR and what companies and users should do and expect from this law (and, as a bonus, it's explained in simpler-than-law-terms language.)
* * *
This blog post is a part of the series. Click to read the other chapters:
See also: app development for law firms