Let us take stock of a particularly intense time regarding data and try to envision how all the regulatory and social changes created around personal data will affect us.
In Europe, May 25, 2018 marked the starting point of the implementation of the General Data Protection Regulation (GDPR), and in Spain, the year ended as the new Organic Law on Data Protection 3/2018 (LOPD) was passed on December 5. Both regulations have meant significant changes in the way we take on the matter from a regulatory standpoint, and have opened up a period of increased complexity. It has not only become a more complicated situation because of the difficulty of implementing and interpreting new regulation when precedents and previous rulings made by judges and authorities are only partially valid, but also because the data economy itself is in the midst of a revolution.
In any case, the issue of personal data can have very different interpretations depending on perspective. For citizens—the owners of the data—it has been a year filled with scandals, major security failures and political manipulation through the use of our data. Not that failures and abuses didn’t exist before, but the cases have increased and we now hear about them more often. The new regulation requires companies to publicly communicate security failures in many cases, and some have anticipated the regulatory change. The press never foregoes a good headline when a data leak occurs, and it seems to feed the curiosity of readers, but as citizens, do we really care about protecting our personal data? The reality is that our data is the currency we use in exchange for many free services, and that a large majority of us are unwilling to give them up, or, pay legal tender for them. Additionally, social networks are changing the value of privacy. Andy Warhol said, in the future, everyone would have the right to their 15 minutes of fame. Will we now have to fight for our 15 minutes of privacy? Should regulation protect us from ourselves, from our exhibitionism and thoughtlessness? The basis of the individual’s consent as the mechanism for the legitimate processing of his or her data is losing relevance as evidence that users do not understand what we are accepting, and in many cases don’t even bother to read before we click, grows stronger. The GDPR seeks to increase transparency and develop other bases for data processing, recognizing new rights for the data subject, such as the right to be forgotten and data portability, which give the individual more control over their data. Where this will all lead is still to be seen. The European legislator’s concern that our data is not used abusively for commercial purposes could open the door for us, the individual, and not just companies, to become those who profit from our privacy, or rather, the lack of it.
Regulatory changes pose a difficult challenge for organizations. On the one hand, market trends talk about digital transformation, big data, how to improve user experience through customization, artificial intelligence and how machines and objects will interact autonomously with us. All of this implies an intensive use of data in a global and highly competitive context. It’s a game companies have to play if they want to survive. No one disputes the need to protect the individual against the misuse of their personal data. However, we should be aware that Europe has chosen to establish a model of preventive protection, in which important formal obligations are established, all of which attempt to not only correct and punish abuse, but to also prevent it from taking place. This preventive model generates a series of obligations for compliance that do not necessarily prevent sanctions or reputational damage, even when organizations try to strictly comply. This is the case for now, at least until the passage of time allows the many uncertain legal concepts included in the new regulation to be settled. This will generate additional costs and make businesses based on the data economy that operate in Europe or are directed at European citizens, less competitive. The stakes are high. EU Institutions have tried to create a standard for data protection to export to the rest of the world and, at the same time, one which serves as a trade barrier—although more or less concealed—for big multinationals from North America and Asia which have business models associated with intensive use of personal data. However, it remains to be seen if the strategy will work. In the end, all of these formal requirements are easier for large organizations to comply with. Startups and small businesses who want to grow within Europe will have the hardest time with new regulatory costs.
Although it might seem like a sweet spot for regulators, assisted by the heavy weapons the new sanctions deliver (20 million euros or 4% of turnover for very serious infringements), they also face significant challenges. The GDPR is a complicated regulation for legislators, with the need for political balance between all interests at play across Member States, leading to the creation of a sort of Frankenstein regulation made up of many elements that are difficult to combine. It is a regulation that is directly applicable to Member States but which has multiple backdoors allowing countries to establish exceptions and their own regulations; regulatory provisions which necessarily require national implementation and development as if it were a directive rather than a regulation; complex coordination mechanisms between various data protection authorities to try to achieve some consistency at the European level; and, above all, the need to resort to national law, both materially and procedurally, when interpreting and enforcing the regulation. This swampy terrain will make effective pursuit of some types of abuse difficult and is already promoting scattered criteria in the application of the regulation. Most litigation will therefore be a burden suffered by companies and regulators alike, although obviously with different consequences. Additionally, hypertrophy of the right to data protection is not only at odds with commercial and business interests, that could more easily be set aside; it increasingly creates conflict with the protection of other fundamental rights. Regulators are facing the challenge of combining this right with the right to freedom of expression, the right to information and even the right to health protection; an unbalanced application of the regulation could lead to loss of its legitimacy.
The compatibility of data protection regulations and a successful digital economy is still to be seen
Finally, legislators, both at the national and EU level, are not contributing much to provide legal assurance. The newly approved Spanish LOPD, with a surprising parliamentary consensus despite existing political division on other issues, forces the limits of data protection established by the GDPR when it states, “the collection of personal data related to the political opinions of people who form political parties as part of their electoral activities will be protected in the public interest,” or that “political parties, coalitions and electoral groupings may use personal data from web pages and other publicly available sources to carry out political activities during the election period,” or “sending electoral propaganda electronically or through messaging systems and paying for electoral propaganda on social networks or equivalent platforms shall not be considered commercial activity or communication.” The strong punitive burden placed on private organizations also contrasts with the choice of the Spanish legislature to exempt Public Administrations from possible economic sanctions, and in general apply less regulatory pressure on the control of what governments and administrations do with our information.
In short, uncertain times for data protection are coming, as is true of so many other things we experience in this day and age. If anyone thinks data protection is something that only concerns lawyers, and that ultimately it is nothing more than applying one more regulation, I would say, they are wrong. What does seem certain is that, given all of this uncertainty, legal knowledge in this field must necessarily become more sophisticated, developing a deep understanding of the businesses and sectors that will need support while becoming integrated with other areas of knowledge. Good council on the issue of personal data will be an essential tool not only in minimizing the risks associated with the development of the digital economy, but also in identifying opportunities for businesses with ethical foundations built to withstand public opinion. Digital transformation, at least in Europe, will be strongly influenced by legal and regulatory aspects.
Raúl Rubio is specialized in IT/IP Law, Privacy and Data Protection. Raúl Rubio has participated in multiple projects for clients in different sectors assisting clients in their adaptation to the data protection legislation, leading data protection audits, providing legal advice in administrative and legal proceedings related to data protection and privacy and offering ongoing advice about technological risks, among others. Raúl Rubio has participated in the drafting of BCRs for a major Spanish bank and has provided advice to a consultancy firm in the design and implementation of the necessary legal mechanism for the international transfer of personal data. Additionally, he has participated in Big Data projects analyzing the legal implications of worldwide projects from a privacy perspective and has represented clients before the Spanish Data Protection Agency on a regular basis.
Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.