The current world economy is highly dependent on information technology, which has led to the rapid growth of this technology without proper measures to protect shared data. As a response to this problem, a set of laws was formed by European Union (EU) parliament to offer its citizens control over their information. The General Data Protection Regulation (GDPR), adopted in 2018, was a set of laws intended to safeguard the data privacy that various entities had infringed. As a replacement to the previous Data Protection Directive (DPD) of 1995, the GDPR now includes more stringent measures and detailed laws to protect data privacy. This study aims to analyze how applicable these laws are in this digital era.
Under the previous Data Protection Directive (DPD), third parties could obtain personal information quickly and were not heavily penalized for doing so. People’s shared data was not secure, which prompted the European Union to tackle this issue by passing the GDPR. Therefore, the main objective of this research is to look into how the GDPR increases the security of people’s personal information. This research paper intends to answer the question, “how appropriate is the General Data Protection Regulation in the digital era?” This research argues that the GDPR is very important as it deals with the fundamental issues concerning data protection in this age of information. The paper goes on to make this argument in three sections. The first is the history of how the GDPR emerged and a conceptual framework that will define the basic legal structure of the act. The second section will look into the aim of the GDPR and how it has empowered its citizens, and the third will clarify the extent and complexity of the regulation. In conclusion, this study will portray how the GDPR is a shield against the exploitation of EU citizens and has set a standard for other Nations and territories to follow.
Human rights in Europe recognized privacy as a human right that protects the flow of information, family life, reputation, and privacy in data processing. In the 1970s, the US developed Fair Information Practices (‘FIPs’). Europe adopted, expanded, and implemented the FIPs. By 1990, the European Union had concerns that data privacy laws would stifle the European Union’s(EU) internal market. A Data Protection Directive followed this. Finalizing the Data Protection Directive took five years of discussion. This Directive created an omnibus system based on FIPs for most businesses and government agencies. But even inside Europe, states exploited signals of slack enforcement and attractive tax structures to court big tech. The GDPR seeks to address these and other issues not fully addressed by the Directive. Consultations began in 2009, and the European Union produced a draft report in 2012. The European Union Parliament accepted a compromise proposal two years later based on over 4,000 amendment requests. In 2015, the EU Council proposed the GDPR to start negotiations with the European Parliament and enacted GDPR in May 2016. The regulation of data protection (GDPR) was operationalized in 2018.
This regulation (GDPR) involves protecting the information of the citizens of the European Union (EU) and the businesses that transact with members of the region. This regulation, adopted on May 25th, 2018, gives the residents of the EU more control over who can process their data and unifies the data privacy regulations followed within the EU (Hoofnagle et al., 2019). This new regulation builds upon principles already in existence in the Data Protection Directive (DPD) of 1995. Still, it adds critical concepts such as the right of erasure, data portability, and accountability (Boardman et al., 2020), discussed further below. A large amount of debate and negotiation went into the formation of the GDPR to ensure that comprehensive legislation was formed which could be enforced better. Although various hurdles have been met in its implementation, the GDPR is a significant step toward protecting privacy and data ownership within the EU and the world in general, as will be discussed below.
Background and Conceptual framework
The European Union Charter of Fundamental Rights guarantees privacy, and data protection is an unalienable right within the EU. This right was primarily observed in the physical world and neglected within the electronic world. Therefore, the GDPR was adopted by the EU to protect this right within the electronic world as well (Hoofnagle et al., 2019). Before this regulation, the EU had formed the Data Protection Directive (DPD) in 1995, which was adopted when the internet was young and the concept of data privacy was not fully understood. Over time, a large percentage of people’s information was digitized and shared over computer networks. It could be easily accessed by individuals who intend to use this information for their gain. The DPD was formed with sound principles that acted as the basis for drafting the GDPR. Still, it lacked specificity in its definition of offenses, making it hard to ensure offenders were accountable. With the GDPR, the EU parliament made an effort to ensure that a breach of the law could be easily identified. Other than this, the GDPR increased compliance with its mandates by establishing positions for officials who provided accountability and increasing the penalty of breaching the regulation to a hefty price.
The basic concept of this regulation applies to two parties, the “controller” and “processor.” The controller owns the data in question and determines how the data may be processed and by whom. On the other hand, the processor asks for permission from the controller to process data on their behalf to offer a particular service. The processor has multiple legal responsibilities that ensure they handle data in a way that does not infringe on the controller’s right to privacy. The processors are legally liable for a breach in the GDPR if they are responsible. On the other hand, the controllers are responsible for ensuring that the agreements they make with the processors are according to the regulations of the GDPR. This regulation now applies to processing activities done by all organizations transacting within the EU (Information Commissioner’s Office, 2018).
The General Data Protection Regulation (GDPR) establishes a set of rules for protecting personal data across the EU, which is particularly important in the digital age to strengthen individual rights and make doing business more straightforward. The EU hopes that the General Data Protection Regulation (GDPR) would aid in developing the EU’s Digital Single Market (DSM), which aims to improve digital policy harmonization throughout the union. While safeguarding European values, the GDPR is also regarded as aiding efforts to accelerate the EU’s digital transformation and enhance the EU’s IT industry in comparison to Chinese and US competitors. As part of the GDPR, uniform standards for data retention, storage limitations, and record-keeping are established, as is the identification of legitimate grounds for data processing, among other things. Regardless of where personal data is processed, the GDPR applies to all businesses and organizations with an EU establishment that processes personal data of EU individuals “data subjects.” In addition, regardless of where data is processed, entities outside the EU that provide goods or services to EU individuals or monitor their behavior. Processing certain forms of sensitive personal information is generally prohibited under the law.
Analysis of EU GDPR
In this digital society, breaches in privacy have become subtler, yet the consequences of those breaches remain just as harmful as ever. On its basis, the General Data Protection Regulation (GDPR) seeks to empower its citizens by ensuring that they are fully informed when giving consent for their data to be processed. The citizens can also erase any data they do not want to exist (Dayalu & Punnagai, 2019). The GDPR also enables the data processors to form new and better practices for protecting personal data as they have been made more accountable for the mismanagement of personal information (Larsson & Lilja, 2020).
The GDPR also increases individuals’ trust in data collectors to be professional when handling personal information. The amount of data stored within the various cloud services is estimated to have reached ten zettabytes in 2019 (Larsson & Lilja, 2020). This large amount of information is crucial to individuals, organizations, and even governments. A level of trust needs to be established that allows data processors to obtain this information but only to the amount required and for the purpose required. Companies that comply with the GDPR have established trust with their customers who want to maximize the benefits of the services provided while reducing the potential risk to a minimum.
Privacy risk, which refers to the potential of a person losing control over their information, is a problem that is experienced daily. This risk exists on social media and in our daily interactions when we share our personal information in the schools we attend, our jobs, the businesses we conduct, and many more situations. The implementation of the GDPR increases transparency and accountability to individuals and companies, and through the risk cannot be eliminated, the regulations formed to go a long way to minimize it (Larsson & Lilja, 2020)
Extent and complexity
The three main improvements of the GDPR over the DPD are the protection it offers to the individual’s rights, its principles on the transfer of data across EU borders, and its new accountability principles (ICO, 2018). Within the GDPR, individuals are given the right to erase any information they do not want to be disseminated. Other than this, the regulation also outlines that the individual has the right to portability which means that the data processor must be very clear and precise when seeking the consent of a data owner. The initial Data Protection Directive (DPD) was restricted in the applicable territory. However, the GDPR protects the EU and includes various restrictions to ensure that the country outside the EU has adequate protective measures (Dayalu & Punnagai, 2019). Finally, another significant difference between the GDPR and the DPD is the number of actions taken to ensure compliance and accountability. Within the GDPR, the positions of Data Protection Officer (DPO) and Supervisory Authority (SA) have been provided, two parts that ensure and compliance of data processing organizations. Other than this, the penalty specified for failing to consent to the GDPR is 4% of the annual turnover that the offending company makes globally or €20 million (Dayalu & Punnagai, 2019).
The GDPR formed multiple regulations that genuinely gave the owners of data within the EU more say into how their data is processed and who gets to process it. Despite this, approximately 90% of companies in the EU were poorly prepared for the new set of laws. Organizations that strive for full compliance are reported to spend up to €900,000, causing many organizations to struggle with ensuring all their data systems are up to the recommended standard (Larsson & Lilja, 2020). Another struggle is the multiple consent requirements that gadget users are now subjected to, which reduces the user-friendliness of many devices, applications, and software.
The advantages of the regulation greatly outweigh its disadvantages. The GDPR has given companies that comply with it a competitive edge as they gain more trust from their customers. The regulation has demanded more accountability for the mismanagement of data which has reduced occurrences such as hacking and identity theft, to mention a few. Most importantly, the laws have established the right to privacy as a fundamental right that cannot be neglected simply for economic gain. For this reason and the numerous others analyzed above, we can see that the General Data Protection regulation is significant in this information age. It deals with the fundamental issues concerning data protection.
Boardman, R.; Bullock, J. & Mole, A. (2020). Guide to the General Data Protection Regulation. Bird & Bird. Retrieved from: https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en
Dayalu, P. & Punnagai, M. (2019). GDPR: A Privacy Regime. International Journal of Trend in Scientific Research and Development (IJTSRD). Volume: 3, Issue: 4. Available at: https://www.researchgate.net/publication/33412366_GDPR_A_Privacy_Regime
Hoofnagle, C.; Sloot, B. & Borgesius, F. (2019). The European Union general data protection regulation: what and what it means. Information & Communications Technology Law. Volume 28, Issue 1. pp. 65-98. Retrieved from: https://www.tandfonline.com/doi/full/10.1080/13600834.2019.1573501
Information Commissioner’s Office. (2018). Guide to the General Data Protection Regulation (GDPR). Data Protection, ICO. Retrieved from: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
Larsson, A. & Lilja, P. (2020). GDPR: What are the risks, and who benefits? In book: The Digital Transformation of Labor: Automation, the Gig Economy and Welfare. Edition: 1, Chapter: 11, pp. 187-199. Available at: https://www.researchgate.net/publication/337305085_GDPR_What_are_the_risks_and_who_benefits