Saturday 2 December 2017

Introduction to the GDPR


Standard YouTube Licence

Jane Lambert

This is the first of a series of articles that I am writing on the GDPR. So much has been written about the topic by lawyers, computer consultancies, government agencies and others that you might think that we need some more articles on GDPR like we need a hole in the head. But we probably do as I found out while looking for materials on the subject for a presentation that I am giving to a local authority on Monday because much of what has appeared to date has been alarming, confusing or even downright misleading.

The initials GDPR stand for the words “General Data Protection Regulation”. That is the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. That is a bit of a mouthful but the title states exactly and precisely what the law is and what it does.

First, it is a regulation of the European Parliament and the European Council. The European Parliament and Council are the legislature of the European Union. The European Parliament consists of 751 members directly elected by the citizens of the European Union 73 of whom represent constituencies in the United Kingdom while the Council consists of representatives of national governments including our own. The European Parliament and Council make three kinds of laws known respectively as regulations, directives and decisions.

 Regulations are laws that come into being upon adoption by the European Parliament and Council with equal effect throughout the European Union without any intervention from the governments of the member states. Directives are instructions from the Parliament and Council to national governments to make or amend their national laws so that they comply with an agreed text. 

 A good example of a directive is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Data Protection Directive”) which required the EU member states to enact data protection regulation by 24 Oct 1998. The United Kingdom implemented the Data Protection Directive by enacting the Data Protection Act 1998 which regulates the processing of personal data in this country in accordance with that directive. 

 Decisions are laws of less importance. One that has been in the news lately is Decision No 445/2014/EU of the European Parliament and of the Council of 16 April 2014 establishing a Union action for the European Capitals of Culture for the years 2020 to 2033 and repealing Decision No 1622/2006/EC which set out the procedure for selecting the European Capital of Culture between 2020 and 2023 which I discussed in Jane Lambert European Capital of Culture 28 Nov 2017 NIPC Brexit. The GDPR is a law that will come into effect on 25 May 2018 throughout the European Union including the United Kingdom as we shall still be in the European Union on that day without any further intervention from the British or any other national government.

Secondly, the title makes clear that the regulation protects the interests of living human beings when data that relates to them are processed by computer or otherwise. The need to control the way such data are collected, collated and used has been recognized ever since the end of the 1960s. In the United Kingdom, the problem was considered by a committee chaired by Sir Kenneth Younger which produced the Younger Committee Report on Privacy (Cmnd 5012) in 1972 and Sir Norman Lindop who wrote a follow-up report on data protection shortly afterwards. Sir Norman wrote:
"The speed of computers, their capacity to store, combine, retrieve and transfer data, their flexibility, and the low unit cost of the work which they can do have the following practical implications for privacy:
(1) they facilitate the maintenance of extensive record systems and the retention of data in these systems,
(2) they can make data easily and quickly available from many distant points;
(3) they can make it possible for data to be transferred quickly from one information system to another;
(4) they make it possible for data to be concealed in ways that might not otherwise be practicable,
(5) because the data are stored, processed and often transmitted in a form which is not directly intelligible, few people may know what is in the records or what is happening to them" (see para 7 of the Report of the Committee on Data Protection (Cmnd 7341)).
Those problems have become even more serious with the growth of the internet.

The third aspect of the law is contained in the words “the free movement of [personal] data. The Younger and Lindop reports might have been left on the shelf to gather dust had the Swedish parliament not enacted a data protection law in 1973. That law, like all subsequent data protection laws, contained a provision restricting the transmission of personal data to countries that did not provide similar protection for such data. When a Swedish local authority wanted to export personal data to a British company that had won an order to make identity cards for the authority, the Swedish data protection authority blocked the transfer because there was no data protection law in the United Kingdom at that time. Even in the 1970s information flows were vital for international business particularly for financial services which have always been important for the UK. The need to protect personal data was quickly perceived as an impediment to business which required a prompt solution.

The OECD proposed a set of guidelines known as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 23 Sept 1980 that allowed international data flows to continue on the understanding that data controllers would process personal data in accordance with those guidelines. The US government encouraged businesses in the USA to follow those guidelines voluntarily on the basis that it was in their interests to do so and many did so. Successive US administrations always believed that self-regulation and encouraging best practice is a more effective way of protecting personal data than legislation and for that reason, it has never enacted a federal data protection statute although several states have done so. 

Europe has followed a different approach. On 28 Jan 1981, The Council of Europe proposed a regional convention as a model for national data protection laws known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and it was this latter model that the UK followed when we enacted our first Data Protection Act 1984. I wrote about the origins of data protection law in Jane Lambert Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sep 2017 NIPC Law. 

 The policy of the OECD Guidelines and the Council of Europe were very similar. Both aimed at protecting personal data while safeguarding data flows. That policy is reflected in art 1 of the GDPR:
“Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states.

The final element of the title is the phrase “repeating Directive 95/46/EC”. The recitals to the GDPR state that the objectives and principles of the Data Protection Directive remain sound, but the directive has not always prevented fragmentation in the implementation of data protection across the EU, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. It was feared that differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the member states could prevent the free flow of personal data throughout the EU. It was also feared that those differences might constitute an obstacle to the pursuit of economic activities at EU level, distort competition and impede authorities in the discharge of their responsibilities under EU law.

Para (10) of the recitals declared that in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the EU, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. A regulation was necessary to:
  • ensure a consistent level of protection for natural persons throughout the EU, 
  • prevent divergences hampering the free movement of personal data within the internal market, 
  • provide legal certainty and transparency for economic operators, including micro-businesses and SME, 
  • provide natural persons in all member states with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, and ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. 
Art 94 (1) of the GDPR repeals the Data Protection Directive from the day when the regulation takes effect. It will not automatically repeal the Data Protection Act 1998 or other national statutes that were enacted to implement the diective (though the primacy of EU law would have that effect as the statute would be disregarded wherever the act and the regulation conflict) but that will be done by the new Data Protection Bill after it receives royal assent.

Should anyone wish to discuss this or any of my other articles on data protection, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Date
Author and Title
Publication
1 Dec 2017
NIPC Data Protection
11 Aug 2017
NIPC Data Protection

No comments:

Post a Comment