The General Data Protection Regulation (GDPR) is the cornerstone legislation for data protection and data privacy in the EU, but remains plagued with some significant problems. And the majority aren’t what everyone thinks they are.
The beefs that commonly come up are that small businesses and ordinary people encounter all sorts of silly rules and bureaucracy, and big technology companies still get away with the same old, same old.
There’s some truth there. But the blame primarily lies not with privacy and data protection as a concept, intention or a legal and human right. It lies, more often than not, with the national governments and regulators that implement the law – or fail to – and the big tech companies that swerve and duck and throw standing armies of lawyers at every challenge and judgment.
It suits politicians, security services and big tech to have the general public fretting over misinterpretations of GDPR at the microscale – supposed prohibitions over signing books of condolences, or supposed bans preventing hairdressers from sharing their clients’ hair colour blends. In most of these cases the GDPR actually had no relevance. The real concern should be the macro problems perpetuated by the state and corporate powers that are the actual targets of GDPR. It’s their overreach into our right to live a reasonably private life that the GDPR is meant to address. But it suits them to have the GDPR presented as the problem, not the solution.
Two events last week provided depressingly apt examples and reminders of how power tries to maintain power. First, in Ireland, the Supreme Court dismissed objections to the admissibility of a gangland gunman’s phone data in a case heard a week ago Monday. That means the phone evidence will stand, even though it was collected years after the Irish data retention law fell. That 2011 law was made invalid by the European Court of Justice in 2014 when the court declared the entire EU Data Retention Directive invalid – on a case based on a challenge taken to, yes: the actual Irish law.
Sadly, it’s often in the interests of both governments and corporations, and sometimes, national regulators not inclined to rock the status quo too much
Six of the seven judges said gardaí in 2017 acted in good faith in gathering the data using the invalid law, because the 2011 law was still on the statute book. But the law was still on the statute book because the Irish government chose to ignore that 2014 ECJ ruling; a case so significant that it would significantly reshape the then-draft GDPR. In a show of extraordinary government arrogance, the invalid Irish law would remain in place until 2022, despite numerous warnings from experts that convictions for serious crimes could fail due to this indifference.
You might wish to argue that if a criminal conviction remained in place, then that’s a good thing. But democratic justice systems are based on the fact that surveillance and data gathering must be proportionate. The highest EU court made clear a decade ago that Ireland’s data collection regime was not. The state gambled that it could get away with pretending it didn’t need to address this yawning human rights gap. Whereas, if it had put a lawful system in place, it could have gathered evidence and not risked having serious criminal convictions overturned.
Then, at the annual European Data Protection Symposium last week, the EU commissioner who was largely the architect of the GDPR, Viviane Reding, told an inconvenient truth during a keynote speech. The GDPR had been intended to bring large data-exploiting corporates to heel, not to be used to inflict mind-numbing, sometimes ineptly wrong bureaucracy and piddly fines on small EU businesses and organisations, she said. The original intent, she added, was for a single EU regulatory office to deal with these big data issues, not almost three dozen national regulators bickering over the scope of punishments for the big players and unevenly applying the Regulation at home.
When I moderated a 2021 online panel with Reding for a DCU Brexit event, she made similar comments and also strongly criticised Ireland’s Data Protection Commission (and others), for not having made use of the full powers granted by the GDPR to punish the big tech multinationals at any meaningful level.
[ EU making ill-judged move towards mass digital surveillanceOpens in new window ]
Sadly, it’s often in the interests of both governments and corporations, and sometimes, national regulators not inclined to rock the status quo too much, to undercut or under-enforce our privacy and data rights. It is in their interests, because both the state and the corporate world see data and varying degrees of ongoing population surveillance for the highly valuable (to them) control and profit mechanisms they are.
And so it is that states and corporations are willing to risk whatever slaps are inflicted by the EU’s highest court or national regulators, because they hope to keep grabbing that data and carve out additional years of surveillance usual. And, it is surely mega-corporates and governments that lobbied for the so-beneficial changes to the original mechanisms of the GDPR, which, handily, gives Ireland so much say in how Big Tech is regulated. If GDPR needs a revamp – and yes, it does – it should be to dump the current slow, lackadaisical national regulator system and properly enforce our data and privacy rights.
- Sign up for Business push alerts and have the best news, analysis and comment delivered directly to your phone
- Find The Irish Times on WhatsApp and stay up to date
- Our Inside Business podcast is published weekly – Find the latest episode here