Against All Odds – The Adoption of the General Data Protection Regulation
Two months ago, the European Parliament and the Council have enacted the European General Data Protection Regulation (GDPR) as the result of a 4 years running legislative procedure. For a long time, it was uncertain whether the regulation could be passed at all: Not only has there been considerable opposition by EU Member States, but there have also been about 4.000 amendments by Parliament, accompanied by an enormous engagement of lobby groups (cf. David Bernet’s documentary).
With the reform of European data protection law, the Commission tended to strengthen the rights of individuals conceptualized as data subjects. Regarding individual rights, the Commission pointed to three main shortcomings as a cause for the reform: an insufficient harmonization of national data protection laws dealing with individual rights, insufficient powers of national authorities to ensure an effective exercise of individual rights, and an insufficient awareness of individuals about their rights in data processing. This was deemed to be especially prevalent in online data processing. Thus, the Commission aimed to give people efficient and operational means to make sure that they are fully informed about what happens to their personal data enabling them to exercise their rights more effectively.
The effective exercise of data subject’s rights is not only wishful thinking of the Commission, but rather a constitutional issue. The constitutional basis for the protection of personal data is the fundamental right to the protection of personal data provided by Art. 8 of the EU Charter of Fundamental Rights (CFR) and Art. 16 TFEU (that have been cited as the legal basis of and in the GDPR).
The ECJ takes the fundamental right to data protection seriously and regularly includes the fundamental right to privacy and family law in Art. 7 CFR in its reasoning. It thereby enhances its recognition as a strong fundamental rights court. In fact, there have been a number of spectacular decisions where the ECJ annulled secondary law for privacy and data protection reasons or interpreted it in a data protection friendly way (Google Spain, Digital Rights Ireland, or Schrems).
The Court does not ignore countervailing rights of third parties or public interests, since the fundamental right to data protection is not unbounded. But contrary to what the ECJ seems to suggest in Google Spain, one cannot state a general priority of the data protection right over third parties’ fundamental rights. Rather, it depends on a proportionate balancing of the opposing fundamental rights in every single case.
Rights of the Data Subject and the R2BF
Since the data subject cannot exercise its rights without being adequately informed about the data processing at all, the GDPR obliges the controller to inform the data subject about the main issues involved in the data processing. It also provides the data subject’s right of access to processed personal data and information about the processing. The data subject can obtain rectification or completion of inaccurate or incomplete data, as well as the erasure of unlawfully processed data. Furthermore, the data subject may object to processing of personal data for certain reasons. It has also the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects him or her. However, all these rights can be restricted by Union or Member State legislation, when such a restriction is a necessary and proportionate measure to safeguard private rights or public interests.
To some extent, we already find these rights and provisions in the 1995 Data Protection Directive. But there are also some new rights without any precedents. The first one is the right to data portability. That means a right to obtain a copy of the stored data from the controller and the freedom to move it from one service provider to another without hindrance. The second one, the so called “Right to be Forgotten” (R2BF) has attracted much more attention. It was not only a core issue of the Commission’s proposal, but was also associated with the ECJ’s Google Spain decision – even though the ECJ never mentioned the R2BF, neither in Google Spain, nor in later decisions. The R2BF addresses the popular assumption that the Internet never forgets and online information is forever. But, to come to the point: The GDPR did not implement what has been discussed as R2BF in the past.
The notion “R2BF” headlines Art. 17 GDPR in quotation marks. Since para. 1 provides the well-known right to erasure, the R2BF must be hidden in para. 2. According to para. 2, the controller shall take reasonable steps to inform third controllers who are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, where he has made the personal data public and is obliged to erase the personal data. Art. 17 only pledges the controller to inform third controllers about the data subject’s request for erasure and thereby taking into account available technology and the cost of implementation. Different from the proposal of the European Parliament, the controller is not obliged to ensure third controllers erase the data. Thus, Art. 17 para. 2 seems to be a very poor implementation of a R2BF.
The legal and factual consequences of Art. 17 para. 2 are actually far from clear. First of all, it could be impossible to determine all third parties who have processed data published in the Internet. Then, it is questionable whether the information about a data subject’s request for erasure on the website of the controller constitutes a proactive information of third controllers by the controller. Moreover, with regard to the available technology and the cost of implementation, it will often be impossible or at least an unreasonable burden of the controller to inform all third controllers.
Thus, it is not surprising that the label of R2BF in the GDPR has been identified as puzzling, misleading and unnecessary, and even as a bluff package. As long as the provision deals with the technical process of the erasure of data, there is no need for the label “R2BF” with its anthropological, psychological and social connotations.
The Commission aimed to transfer European data protection law into the 21st century and to make it fit for the Internet. In fact, with its broad territorial scope (cf. Art. 3 GDPR) the GDPR enforces well-known data subject’s rights even against Non-EU controllers, which is especially relevant for online data processing. The GDPR also introduces new data subject’s rights. However, the new R2BF does not live up to its promise, but is nothing more than a duty to inform third controllers where it is possible and no unreasonable burden.
But the GDPR also enhances the data subject’s rights by other means. It introduces considerable administrative fines of 20.000.000 EUR or up to 4 % of an undertaking’s total worldwide annual turnover in case of infringements of the data subject’s rights. There will also be a closer cooperation between national and European data protection authorities for a more coherent implementation of European data protection law. Finally, the GDPR references to a more comprehensive approach and new modes of data protection such as the concept of privacy by design or the awareness raising for data protection, but both without elaborating. Although these concepts have to be concretized by courts and data protection authorities – after numerous powers for concretion through the Commission’s delegated acts have been cancelled during the trilogue negotiations –, the GDPR can be regarded as a striking result of a legislative procedure that will not be tackled in the near future.