What makes you say that there's no agreement as to what it means?
It feels like I see this sort of view expressed quite frequently. My guess is that it's primarily because people want a reason not to look to comply in lots of cases, or to dismiss GDPR. "How can we comply if no one knows what it really means to comply".
In many cases, the GDPR simply reiterates/builds upon existing data protection law which has a wealth of interpretative decisions and guidance. In other areas, the Article 29 Working Party has been issuing guidance on specific aspects of GDPR.
Yes, the GDPR is a lengthy piece of legislation but there are straightforward steps people can take and they generally centre around respecting users' data.
What makes you say that there's no agreement as to what it means? It feels like I see this sort of view expressed quite frequently.
One fundamental problem is that the GDPR, if interpreted literally and fully enforced to the letter, is absurdly onerous for any small organisation and allows for fines that pose an existential threat without any requirement for proportionality.
Defenders of the GDPR, including some of the official regulators, often argue that concerns are exaggerated and regulators are likely to take a more pragmatic approach, trying to educate those breaching the rules rather than coming in with crippling fines. Maybe that will turn out to be true, but in past instances of overly powerful or broad EU rules, there certainly have been cases of heavy-handedness by regulators and courts, so it is illogical to rely on another result this time.
In any case, pragmatic enforcement would not make the law itself any better. Those responsible for working with personal data still have to err on the side of going too far in their efforts to comply, and thus finding themselves at a disadvantage compared to their competition who do not, or not going far enough, and then risking a regulator dropping the sword of Damocles at any time, with no objective standard for "far enough".
Sure, I see where you're coming from. I guess we'll just have to wait and see whether data protection authorities start dropping 20 million Euro fines on people from day 1 for breaches of the law. My view and instinct is that this won't happen. Even with the relatively low level of fines at present, in the UK for example the Information Commissioner's Office has rarely reached the limit.
However, can you give me specific examples of where it would be 'absurdly onerous' to comply? I assume you're talking about restriction of processing, data portability, rights of erasure in the main? Yes, this creates costs, but overall these are minor matters compared to what the regulators will actually focus on which is blatant misuse of consumer data and failure to implement appropriate security measures.
Also, can you give me examples of heavy-handedness by regulators and courts in relation to EU rules? The main example that could potentially fall within this bracket relates to anti-competitive behaviour. In relation to privacy-related matters, the revised E-Privacy Directive in relation to cookie consent was widely ignored without any real ramifications that I'm aware of. On existing data protection law generally, data protection authorities have been relatively restrained in my experience, with the larger fines coming from blatant misuse of personal data or data breaches where even basic security protections were not in place.
What detrimental effects do you think will follow from complying with GDPR compared to those who do not? I'm not saying there won't be any but would be good to understand if you have any specific examples. Do you imagine that whilst some organisations strain to comply with GDPR, others will be forging ahead with new features and capturing market share?
Another point on competition is that on one view, because GDPR is expanding the territorial scope this levels the playing field to an extent. Increased fines also create a disincentive to engage in behaviour harmful to users' privacy. I appreciate that enforcement will likely remain an issue for those outside the EEA depending on the nature of the entity. I cannot imagine that Google would simply avoid paying the previously levied fines, depending on how the appeals go.
My experience is that many businesses are not falling over backwards to comply GDPR. I certainly haven't seen businesses going 'too far' in looking to comply. Businesses that have taken sound advice have adopted a risk-based approach to GDPR compliance, assessing where the greatest risks are and acting accordingly. The regulatory focus will not be on small businesses, but instead on players like Google, Facebook and those losing vast quantities of user data.
Sure, I see where you're coming from. I guess we'll just have to wait and see whether data protection authorities start dropping 20 million Euro fines on people from day 1 for breaches of the law. My view and instinct is that this won't happen.
Of course it won't, but the unlikelihood of the extreme position doesn't make the broader risk of an excessive or heavy-handed response any better.
Also, can you give me examples of heavy-handedness by regulators and courts in relation to EU rules?
Sure: one of my own businesses received a letter from a national tax authority in another EU member state shortly after the new VAT rules for digital sales came in, alleging that we had committed serious tax offences, demanding payment of money we couldn't possibly afford by a deadline that wouldn't even allow time for consulting lawyers or accountants, and threatening immediate and very scary action against us if we did not comply. At first, we thought it must be some kind of hoax, but then the terrifying reality that we really were being threatened by a state actor with enough power to wipe our fledgling business from existence dawned.
If you've never been on the wrong side of a government mistake, you might suggest that our concern over that letter was overblown, paranoia even. Surely no government would not only make such a mistake but then follow through and cause real damage, right? Well, writing as someone who unfortunately has previously been the victim of another serious government mistake in connection with tax affairs, and had life turned upside down for several months trying to sort it out with very real and very scary consequences, I can personally assure you that concern about the consequences when the system goes wrong is quite justified.
What detrimental effects do you think will follow from complying with GDPR compared to those who do not?
Do you mean what is the cost of compliance for those who try to comply, as compared to just ignoring the rules? The cost is all the overhead of writing documents and conducting audits and setting up systems you might never need, just so that you can tick the right boxes. There are plenty of estimates around suggesting that actually carrying out all the work suggested in black and white on the ICO's guidance for data controllers and data processors would take weeks and costs tens of thousands of pounds at a minimum. There are a lot of microbusinesses, which of course are covered by this law just like anyone else, where that represents literally their entire annual turnover and probably a substantial proportion of the total time they have available to do their work in a year.
Do you imagine that whilst some organisations strain to comply with GDPR, others will be forging ahead with new features and capturing market share?
I'm absolutely sure that will be the case, just as it was with things like the new VAT or consumer protection rules before.
As a direct personal example again, that same business I mentioned before lost weeks of developer time updating systems to comply with the EU VAT rules, including a substantial part of one of our developers' Christmas holiday because the rules came into effect right at the start of the year and guidance was still being updated just days before. We later discovered that hardly any other businesses of our size or even substantially larger were even making a serious attempt to comply, essentially meaning that we had wasted all of that time and money trying to do the right thing, while others including our competitors were apparently committing tax fraud with impunity.
As another direct personal example, not only did we have to spend time and money updating systems to comply with the new consumer protection rules for online sales a few years back, we also saw a noticeable drop in conversions because of the scary legal wording we are now required (and this is directly from our lawyer) to display prominently during our checkout process, even though in reality we had always offered significantly better conditions for our customers than anything those consumer protection rules actually required anyway. And of course any competitor outside the EU was free to continue with the streamlined checkout process they had, no scary wording required.
My experience is that many businesses are not falling over backwards to comply GDPR. I certainly haven't seen businesses going 'too far' in looking to comply.
Are you advising my business to knowingly break the law?
Businesses that have taken sound advice have adopted a risk-based approach to GDPR compliance, assessing where the greatest risks are and acting accordingly.
What did that advice cost, and what proportion of small or micro businesses do you think have paid to receive it?
The regulatory focus will not be on small businesses, but instead on players like Google, Facebook and those losing vast quantities of user data.
So they said about the VAT rules, a few weeks before a government organisation against which my business and I had no meaningful defence threatened to destroy a large part of my life that I and others had spent several years building. You'll forgive me, I hope, if I don't take their word for it this time.
What is “it”? GDPR is in large parts based on the Data Protection Directive from 1995 and “Convention 108” from 1981. There is ample of case law, data protection authority opinions, guidance, etc.
