On 25 May, the General Data Protection Regulation becomes legally enforceable, six years after the Commission’s original proposal was published. What followed was the most intensive (and expensive) lobbying campaign in EU policy-making history.
Over the past two years, member states have been afforded time to make the necessary preparations to enforce the new data protection rules. This has involved data protection authorities (DPAs) preparing comprehensive guidance for firms and individuals on what the new rules mean for them. EU member states have also brought forward domestic legislation to interpret aspects of the text which have been left deliberately ambiguous – so called “national derogations”.
Incredible as it seems to GDPR lobbyists, lawyers and privacy campaigners, awareness of the GDPR across the wider population is still low. A survey conducted on behalf of the UK government in January 2018 revealed that only 38 percent of British businesses are aware of the GDPR. Of those that were aware of the regulation, just over a quarter of businesses (27 percent) have made any changes to how they operate to ensure compliance with the new rules.
Nevertheless, the European Commission is determined to make a success of the new legal framework. In January, the Commission committed EUR 1.7 million to fund data protection authorities and train data protection professionals. A further EUR 2 million is being made available to support national authorities in reaching businesses, especially small- to medium-sized enterprises (SMEs).
On one level this is about fundamental rights: the regulation gives effect to article 8 of the European Charter of Fundamental Rights on the protection of personal data. However, the GDPR has a strong element of realpolitik, a means of “Europe exporting its soft power” in the words of Brussels Privacy Hub co-chair Christopher Kuner. Essentially, the GDPR provides the basis for the EU to export its model of data protection globally, to imprint the EU’s legal framework for protection of personal data on international trade deals.
The Commission has made no secret of this ambition. In February, after a protracted struggle between the Trade and Justice departments of the European Commission, the College of Commissioners eventually signed off on a set of horizontal provisions (i.e. negotiating guidelines) for cross-border data flows and personal data protection to be included within trade negotiations. The text stipulates that data protection is a fundamental right, and thus cannot be subject to trade negotiations, where it could be watered down. It follows that data flows between the EU and third countries can only be provided for using the mechanisms enshrined in the GDPR (the most straightforward being an “adequacy decision”) which can be negotiated in parallel but must be independent of trade negotiations.
The text affords the EU the best of both worlds: challenging the imposition of data localisation mandates in trade agreements by third countries, but essentially imposing the EU’s regulatory framework for data protection as a pre-requisite for free data flows. Unsurprisingly this approach has been criticised by advocates of free and open global data flows. A joint letter from the CCIA and Developers Alliance reflects with disappointment that the Commission guidance is “unlikely to remove existing and future data localisation measures enacted by Europe’s trading partners.”
The sheer size of the European Single Market means that businesses have no choice but to abide by regulatory standards enshrined in the GDPR. This counts as a win for EU privacy advocates and protectionist-minded EU officials, confident in their ability to shape the digital regulatory environment. Less clear is whether the EU will reap any benefit in seeking to impose tough data protection standards on third countries through trade negotiations, or whether this will simply lead to data flows being excluded from such deals, an outcome which would be detrimental to the growth of the digital economy.
