In May 2018 a new data regulation came into force: the General Data Protection Regulation (GDPR). Even before it was inured, there were many critics; data protection authorities as well as companies protested against the new regulations.
The necessity of new regulations
Technically, the General Data Protection Regulation was meant to set a standard in the EU regarding data regulation in general. The old regulations (“Data Protection Directive 95/46/EG”) of 1995 left too much room for interpretation regarding legal situations in different countries. Furthermore, this regulation was outdated considering rapid technological developments of the last decades. Especially social media needs new data protection regulations. One must only think about scandals like the Facebook-affair to see the importance of data protection.
What is new?
The main innovation of GDPR is that it is regulated in a stricter way; all member states of the EU must enforce the law in the same way. Before May 2018 every state could interpret the laws individually, leaving lots of room for interpretation.
GDPR focuses on protection of private data. Processing of private data is forbidden unless the person affected gives their consent. However, the age limit for giving consent was lowered from 16 to 14 years, which was highly controversial.
Transparency has become very important with new data regulations. Companies must inform their clients about documentation and usage of their data. Data must only be used for the purpose that it’s collected for. Data that was collected for completing a contract, for example, must not be used for marketing purposes. Companies are not allowed to collect more data than necessary. All data must be treated confidentially and malpractice (also by third parties) must be prevented at all times. New regulations stress the “right to forget”, meaning that companies are obliged to delete data of their clients, if they demand it. The fact that data protection authorities are at any point entitled to get access to all data of companies (even without giving reasons) is also highly controversial.
Penalties for violations of GDPR are higher than before (up to 20 million Euros). However, private and public organizations ans companies which are concerned with law enforcement are excluded from any penalties. This makes the law not as generally valid as it pretends to be.
Organizations as well as national data protection authorities critized the new data protection regulations from the very beginning. Companies are bewildered by intransparent prescriptions. They fear that the newly demanded transparency will lead to more documentary work. This might demand more working forces and might lead to unnecessary mountains of files. According to surveys, data protection authorities say they were not informed properly about their new duties. Authorities in several countries demanded more resources from their governments in order to cope with new data regulations.