Maligned and abused GDPR is the best protection we have

AuthorKarlin Lillington
Published date27 May 2021
Date27 May 2021
Although it is European legislation, the GDPR's impact has been global. Once in place, it established a high data protection bar for Europeans, and not just for EU-based organisations. As of May 25th, 2018, any entity anywhere has had to comply with the GDPR if it wants to do business with the people within one of the world's largest economic markets.

Pre-GDPR, the EU already had some of the world's strongest data protection laws but they lacked the sharp teeth of consequential enforcement. Beyond EU borders, they were generally considered so meaningless as to be routinely ignored.

Such scepticism was warranted. But that changed after a succession of European data protection milestones (most involving Ireland) in quick succession. First, in a case brought by Digital Rights Ireland against the State's data retention laws, the European Court of Justice (ECJ) decided in 2014 to invalidate the entire EU Data Retention Directive.

The following year, the ECJ gave its ruling in the first case brought by activist Max Schrems, after he sought a judicial review following a ruling by the Irish Data Protection Commissioner over a complaint he filed against Facebook. The ECJ ruled in Schrems's favour and, in the process, declared the existing EU-US data transfer protocol, Safe Harbour, invalid.

These cases informed the drafting of the GDPR, which had to be shaped to accommodate the opinion of Europe's highest court - a body that had not previously weighed in on data protection issues with such force and clarity.

EU officials were well aware of the far-reaching nature of the GDPR and recognised that, with its significant protections, compliance requirements, and wake-up-and-pay-attention punishments (a fine of 4 per cent of global revenue tends to grab notice), organisations should be granted time to prepare for compliance. Hence, they gave them two years to get ready. The GDPR was actually passed as law in April 2016, technically making it five years old, not three.

Silly citations

Where are we now with GDPR? On the negative side: the regular silly citations of supposedly GDPR-mandated, minor outrages (which never actually are GDPR-mandated). These lead people to believe wrongly that a law which gives them significant protections is there to eat away at perceived conveniences - whether it be signing a visitor guestbook or getting their hair coloured. It does not.

This is connected to another negative: the growth in organisations using the GDPR as a reason not to...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT