GDPR, Something Stringent Building Sway

GDPR’s Precursor

Beginning in the 70s, then through the 80s and 90s, given the increased use of information and communication technology (ICT) in private and official activities, growth in international trade, globalization, and resultant cross-border communications and information flows, and the growing concerns of data subjects (users) for privacy and the preservation of other rights legislation for data protection seemed a timely saviour. To that end, The Universal Declaration of Human Rights and the European Convention for the Protection of Human Rights were balanced with OECD Guidelines for Multinational Enterprises in legislation formulation that led to the EU Law Directive 95/46/EC.

The EU law Directive 95/46/EC, enacted in 1995, which, as suggested, pre-empted other legislation and was itself superseded by the General Data Protection Regulation (GDPR) in 2018, two years after it was adopted by the European Parliament and Council of the European Union. Directive 95/46/EC, became applicable in 1998 and regulated the protection of personal data and the free movement of such data within the EU. Additionally, it aimed to harmonize the national data protection laws of the Member States, to ensure a high level of protection for the privacy and fundamental rights of individuals in the EU, and it sought to facilitate the cross-border flow of personal data for economic and social purposes, such as trade, communication, or cooperation.

In summary, the environmental and motivational factors for the implementation of Directive 95/46/EC were mainly:

·      The rapid development and expansion of information and communication technologies, such as the Internet, increased the volume and complexity of personal data processing and posed new challenges and risks for data protection and privacy.

·       The diversity and inconsistency of the national data protection laws of the Member States, which created legal uncertainty and obstacles for data controllers and processors, and reduced the level of protection and trust for data subjects (information relating to a person who can be
identified, directly or indirectly).

·      The influence and pressure from the international community and the civil society, which called for a common and comprehensive data protection framework for the EU, and for the promotion and protection of human rights and democratic values.

·      The recognition of the importance and value of personal data as a key resource and asset for the internal market and the European integration, and the need to balance the economic and social benefits of data processing with respect for the rights and freedoms of individuals.

·      The recognition of privacy and data protection as universal human rights and as essential components of human dignity, democracy, and the rule of law in the EU, as enshrined in the Charter of Fundamental Rights of the EU and the EU Treaties.

·      The awareness and expectation of data subjects for more control and choice over their data, and for more transparency and accountability from data controllers and processors, especially in the digital age.

·      The lack of information and transparency about how and why data subjects’ data were processed, and by whom, and the lack of consent or other legal basis for the processing.

·       The lack of security and confidentiality of data subjects’ data, and the exposure to data breaches or infringements by data controllers, processors, or third parties, such as hackers, criminals, or foreign governments.

·      The lack of accuracy and relevance of data subjects’ data, and the difficulty to access, rectify, erase, or restrict their data, or to challenge or correct any errors or inaccuracies.

·      The lack of control and choice over their data subjects’ data, and the inability to object or withdraw consent to certain processing activities, such as direct marketing, profiling, or automated decision-making, or to port their data to another service provider.

·      The lack of effective and accessible ways to exercise data subjects’ rights and remedies, and to lodge complaints or seek judicial remedies or compensation for damages resulting from data breaches or infringements.

However, Directive 95/46/EC had several inadequacies that led to its replacement, as stated before, by the GDPR in 25 May 2018. Some of these inadequacies were:

·       The lack of uniformity and consistency across the EU, as it allowed Member States to implement and interpret the Directive differently, creating legal uncertainty and fragmentation for data controllers, processors, and subjects.

·       The want of adequate protection for personal data transferred to third countries or international organizations outside the EU, as it relied on the adequacy decisions of the European Commission or the self-certification of data controllers, which were often insufficient or challenged by the courts.

·       Desperately lagged the rapid development and expansion of information and communication technologies, such as the Internet, social media, cloud computing, big data, &c., which increased the volume and complexity of personal data processing, and posed new challenges and risks for data protection and privacy.

·      Insufficiently empowered data subjects, as it did not grant them clear and specific rights and remedies, such as the right to be forgotten, the right to data portability, the right to object to profiling, &c., or the right to seek compensation for damages resulting from data breaches or infringements.

·       Ineffective and consistent enforcement and cooperation among the data protection authorities across the EU, as it did not engender them with adequate powers, resources, or mechanisms to monitor and sanction data controllers or processors, or to cooperate and coordinate with each other or with third countries or international organizations.