The new General Data Protection Regulation: Still a sound system for the protection of individuals?

doi:10.1016/j.clsr.2016.02.006

Computer Law & Security Review

Volume 32, Issue 2, April 2016, Pages 179-194

https://doi.org/10.1016/j.clsr.2016.02.006 Get rights and content

Abstract

The five-year wait is finally over; a few days before expiration of 2015 the “trilogue” that had started a few months earlier between the Commission, the Council and the Parliament suddenly bore fruit and the EU data protection reform package has finally been concluded. As planned since the beginning of this effort a Regulation, the General Data Protection Regulation is going to replace the 1995 Directive and a Directive, the Police and Criminal Justice Data Protection Directive, the 2008 Data Protection Framework Decision. In this way a long process that started as early as in 2009, peaked in early 2012, and required another three years to pass through the Parliament's and the Council's scrutiny is finished. Whether this reform package and its end-result is cause to celebrate or to lament depends on the perspective, the interests and the expectations of the beholder. Four years ago we published an article in this journal under the title “The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals”. This paper essentially constitutes a continuation of that article: now that the General Data Protection Regulation's final provisions are at hand it is possible to present differences with the first draft prepared by the Commission, to discuss the issues raised through its law-making passage over the past few years, and to attempt to assess the effectiveness of its final provisions in relation to their declared purposes.

Section snippets

Introduction: a thorough reform but based on ideas already bypassed?

The law-making process: a brief history

Because this paper is intended to recap a law-making process that lasted more than five years, we consider it important to remind and note down its basic steps: work on the amendment of the 1995 Directive began as early as 2009, through release of a relevant public consultation by the Commission. Among the reasons listed for the need to amend it the most important ones were probably its technologically out of date status as well as the lack of harmonisation among Member States. At any event,

The choice of legal instruments: an unprecedented choice (and an important win for the Commission)

The importance of the choice for the legal instruments to bear the burden of regulating EU data protection cannot be emphasised enough: to our mind, perhaps the most important contribution to EU personal data processing by the Regulation is the choice of instrument itself, regardless of its final provisions (a statement that is of course not altogether true because, as it will be later demonstrated, its provisions present data protection merit also in themselves). A Regulation to replace the

Personal data and sensitive personal data (Art. 4 and 9 of the Regulation)

The question, what exactly constitutes “personal data”, is crucial for the data protection purposes, because only what qualifies under basic data protection law as such is regulated by it. All other data, regardless whether perceived as personal or not, falls outside its scope. In the 1995 Directive use was made of a phrase that proved resilient over the past twenty years: “personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’)”

The personal data processing actors (Art. 4 of the Regulation): an anachronism in the text of the Regulation

Neither did the Regulation deviate substantially from the 1995 Directive in the case of the personal data processing actors: the well-known system of data subjects, controllers, processors, recipients and third parties is more or less maintained in its text (in Article 4). It should also be noted that the initial Commission's proposal went more or less undisputed on this matter by the other two law-making bodies. In this way, however, the 1995 Directive's terminology and, what is more

Reforming the Directive's principles: important additions to an essentially preserved processing system (Articles 5 and 6 of the Regulation)

The fundamental importance of Articles 6 and 7 of the 1995 Directive for the EU data protection system hardly needs explaining – and at any event was elaborated in detail in our previous paper while discussing the Commission's initial proposal on the draft Regulation.³⁷ In brief, Article 6 laid down the basic principles for the lawful processing of personal data, among which are such cornerstone notions for EU data protection such as the requirement for personal data to be

Individual consent: the Commission's request for “explicit” consent did not make it through (Article 7 of the Regulation)

Individual consent is arguably the most important legal ground for personal data processing to take place. All other possible legal grounds (performance of a contract, legal obligation, vital interests, public interest, overriding interest of the controller) refer to case-specific situations that lie more or less outside an individual's sphere of control; in a way, personal data processing under the remaining legal grounds listed in the Regulation takes place regardless whether the individuals

Updating the Directive's individual rights list (Art. 11–20 of the Regulation): the right to be forgotten (Art. 17 of the Regulation) following the CJEU Google Spain decision, profiling and other additions

One of the basic elements of EU data protection refers to a special set of rights granted to individuals in order to facilitate exercise of their right to data protection. In the text of the 1995 Directive these rights pertained to the rights to information, access and rectification of personal information (Articles 10, 11 and 12). Individuals were also afforded the right to object to personal data processing, evidently “on compelling legitimate grounds” as well as the right not to be subject

The right to data portability (Article 18 of the Regulation) and the internet social networks market

The right to data portability is an internet-specific new right afforded to individuals in the text of the new Regulation. In practice it does not constitute a new right per se, because effective exercise of consent, and its withdrawal at any time, by data subjects would have presumably brought the same result. However, it may serve as a case-specific guidance both to individuals and controllers that is expected to affect in many and important ways the internet social networks market.

What the

Data Protection Authorities (Art. 46 of the Regulation): in search of cross-border consistency

Data Protection Authorities (DPAs) constitute a pillar for the EU data protection model and are considered a successful mechanism for monitoring and enforcing data protection within their respective jurisdictions and it therefore comes as no surprise that their role is maintained and further strengthened in the text of the Regulation. However, the qualitative difference now refers to their (new) obligation to deepen their cooperation in order to achieve “consistent application of this

The obligation to notify replaced by the principle of accountability (Article 28 of the Regulation)

As discussed in our previous article, the obligation for controllers to notify all personal data processing operations taking place in the EU to their competent DPAs (see Art. 18 and 19 of the 1995 Directive) is an outdated and obsolete remnant of the 1960s and 1970s, when it was thought that processing operations would not be that many, would be country-specific and could therefore be organised in a centrally kept register. Reality has however proven otherwise; even since the 1990s the

Data breach notifications: made too flexible? (Articles 31 and 32 of the Regulation)

Data breach notification, as noted in our previous paper, is a data protection novelty that originated in the ePrivacy Directive⁴⁵ but in the meantime was considered a successful enough measure to find generalised use through

The role of “soft law”: Data Protection Impact Assessments, codes of conduct and certification (Art. 33, 38 and 39 of the Regulation)

Among the many novelties introduced by the Regulation, “soft law” instances in the form of Data Protection Impact Assessments, codes of conduct and certification hold a prominent position. These newcomers ought to be examined within the context of the abolition of the notification system and the introduction of the principle of accountability instead; under the Regulation, controllers are expected to take the initiative with regard to their personal data processing. Such initiative however

The European Data Protection Board as a consistency gatekeeper (Article 64 of the Regulation)

The importance of the Article 29 Working Party for the EU data protection cannot be overstated.⁴⁸ During the past twenty years since its introduction in the text of the 1995 Directive it has constituted the main body for consultation and harmonisation on all data protection matters within the EU. Although of a consultative nature, the fact that its members were Member State DPAs meant in practice that the level of influence over data protection implementation

Conclusion: still a sound system for the protection of individuals

Four years ago we concluded that the release of the new Regulation draft was a “cause for celebration for human rights”. Obviously, the question is now whether the Regulation's final wording still justifies our previous finding. In short, we believe that it does. Even the choice of legal instrument, a Regulation instead of a Directive, is reason enough to celebrate: inconsistencies and lack of harmonisation that attracted so much attention over the past decades and led to impasses due to

References (0)

Cited by (114)

A framework for data privacy and security accountability in data breach communications
2022, Computers and Security
Citation Excerpt :
They noted the inability for many people to monitor the complex trail of data they have left behind them or to withdraw or reassert rights over data they have already provided. They suggest that despite the widespread prevalence of data breaches, there is little awareness of the scale and type of data breached or the efforts made to mitigate risks. de Hert and Papakonstantinou (2016) also noted that with data now increasingly handled by multiple processes and parties, accountability also becomes more complex, as does the concept of informed consent.
Organisations need to take steps to protect the privacy and security of the personal information they hold. However, when data is breached, how do individuals know whether the organisation took reasonable steps to protect their data? When breached organisations notify affected individuals, this communication is likely to be one of the few windows into the incident from the outside and can become an important artefact for research. This desktop study aimed to consider the extent to which publicly available Australian data breach communications reflect data privacy and security best practices. This paper presents a brief review of literature and government guidance on data security and privacy best practices, along with the results of a qualitative content analysis of 33 publicly available Australian data breach communications. This analysis illustrated that there was little reflection of data privacy and security practices. Literature, government guidance and the content analysis were used to inform and develop a new voluntary framework for organisations. This consists of a series of evaluation questions divided into two broad categories: responsible data management and responsible portrayal of the breach. The framework has the potential to help organisations plan the inclusion of data privacy and security management aspects in their data breach communications. This could assist organisations to address their legal and ethical responsibility to account for their actions in managing privacy and security of the personal data they hold.
Data-inspired co-design for museum and gallery visitor experiences
2022, Artificial Intelligence for Engineering Design, Analysis and Manufacturing: AIEDAM
Understanding challenges of GDPR implementation in business enterprises: a systematic literature review
2024, International Journal of Law and Management
GDPR COMPLIANCE CHALLENGES IN CROATIAN MICRO, SMALL AND MEDIUM SIZED ENTERPRISES
2023, Pravni Vjesnik
Examining the role of moral, emotional, behavioural, and personality factors in predicting online shaming
2023, PLoS ONE
Building data management capabilities to address data protection regulations: Learnings from EU-GDPR
2023, Journal of Information Technology

View all citing articles on Scopus

View full text