I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.
Here are 10 reasons why I love the GDPR:
(1) Omnibus and Comprehensive
Unlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.
This baseline is important. In the US, protection depends upon not just the type of data but the entities that hold it. For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities. Health data people share with a health app, for example, might not be protected at all by HIPAA. This is quite confusing to individuals. In the EU, the baseline protections ensure that nothing falls through the cracks.
The GDPR is quite comprehensive in the scope of what it protects as well as comprehensive in the types of protections it offers. In contrast, with many other privacy laws, there are some glaring omissions. Many US privacy laws, for example, fail to address vendor management or have provisions for governance and accountability. These laws are quite incomplete; they are only a partial recipe for protecting privacy.
Additionally, there are many privacy laws with exceptions that open up gaping holes in the law. With the GDPR, I can’t find a lot that is missing or exceptions that swallow the rule.
(2) Requires Organizations to Know Their Data
To comply with GDPR, organizations must know their data. There’s no way to follow GDPR without knowing about the data that one collects and processes.
Knowing one’s data is essential to protecting it. An organization must understand the type of data it has, why it has it, how it is used, and with whom it is shared, among other things. This is the first step to getting a handle on data protection.
(3) Governance and Accountability
The GDPR has extensive requirements for governance and accountability – requiring data protection officers (DPOs), policies and procedures, data protection impact assessments (DPIAs), workforce training, and other key components of an effective privacy program. These requirements are essential for a law to be effectively followed by organizations.
Laws that lack governance requirements are often ignored. Someone at an organization must own the task of compliance; without any owner, compliance will be adrift. There must be policies and procedures, and there must also be training. The best policies are meaningless if nobody knows about them or how to follow them.
(4) Broad Definition of Personal Data
The GDPR defines personal data quite broadly. According to the GDPR Article 4, personal data is “any information relating to an identified or identifiable natural person.”
Many privacy laws cover identified people but fail to adequately cover identifiable people. In contrast, the GDPR has a broad definition of identifiable: “[A]n identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
It is alarming how much data that we think isn’t linkable to a person can actually be linked to that person. The GDPR understands this; many other privacy laws don’t.
(5) Rights and Redress for Individuals
- Right to be informed about the person data organizations have about them
- Right to access personal data
- Right to rectification – correct errors in personal data or add to incomplete records
- Right to erasure (aka “the right to be forgotten”)
- Right to restriction on processing of personal data
- Right to data portability
- Right to object to the processing of personal data
Few other privacy laws have all of these rights. Many laws omit rights such as erasure and data portability. Other laws provide a rather anemic right to rectification as well as not much ability to restrict processing of personal data.
The GDPR does more than just provide for rights, but it has provisions to ensure that the rights are meaningful. For example, the GDPR does more than just require a privacy notice; it specifies the types of things that organizations must disclose to people.
Additionally, individuals whose rights are violated under the GDPR have redress. There must be effective judicial remedies. In contrast, there is no such guarantee in US law. Some laws lack a private right of action. People can complain to regulators, but without any economic incentive to raise complaints, many people will just suffer in silence.
In instances where people can bring lawsuits, many US courts dismiss cases based on privacy or security violations based on a view that individuals haven’t been harmed. These courts have a very narrow view of harm and often require plaintiffs to establish physical, financial, or reputational harm. Privacy and security harms are often of a different nature. Many privacy harms are based on emotional distress, thwarted expectations, or betrayal of trust. Many security harms are based on increased risk rather than actual materialized injury. US courts struggle to recognize these types of harms. The U.S. Supreme Court in Clapper v. Amnesty International and Spokeo, Inc. v. Robins further muddied the waters
The GDPR avoids falling into this muddy morass by declaring that individuals must have a right to receive compensation when they have “suffered material or non-material damage.” This ensures that important provisions of the GDPR aren’t ignored or deliberately violated because plaintiffs will have a tough time proving harm.
(6) Meaningful Consent
Consent is one of the lawful bases by which organizations can process personal data. The GDPR requires affirmative consent, which must be freely given, specific, informed, and unambiguous. Consent can’t be assumed from inaction. Pre-ticked boxes aren’t sufficient to constitute consent.
This approach is an improvement over the opt-out approach, common in US privacy laws, that infer consent from inaction. As most people don’t read privacy policies, inaction doesn’t really mean consent.
The GDPR also imposes a presumption that consent isn’t freely given if there is “a clear imbalance between the data subject and the controller.” This provision prevents the use of the fiction that highly-coerced “consent” is valid consent.
Another good thing that the GDPR does is to not allow organizations to require people’s consent to certain uses of data order to obtain a service unless necessary for the service. HIPAA has such a requirement too – an authorization to use protected health information for marketing can’t be required in order to obtain medical treatment.
The GDPR also has a purpose specification requirement: If a data subject consents to the use of personal data for one purpose, then the data can’t be processed for a different unrelated purpose without obtaining a new consent. In contrast, many other privacy laws omit purpose specification, one of the fundamental Fair Information Practice Principles (FIPPs).
(7) Follows the Data
The GDPR follows the data. This is a very important component of a privacy law. Organizations often transfer personal data to other entities.
Many privacy laws focus just on the contracts vendors make with these entities, making sure that the contracts include some provision assuring compliance with the law. But this isn’t good enough. Many organizations just sign these contracts but don’t comply. Their only penalties for failing to comply are contractual – the regulators often lack the ability to enforce against these organizations.
The GDPR covers the entities that are the controllers of the data (“data controllers”) and also the entities that receive data from controllers to perform functions for the controllers (“data processors”). Enforcement thus follows the data.
When a law fails to follow the data, the data readily falls outside the enforcement ambit of the regulator. These are leaky laws that expose data to a lot of risk in today’s world where data is often outsourced to third party vendors for various functions.
(8) Vendor Management and Data Transfer
The GDPR imposes significant obligations on controllers that contract with processors.
Many controllers have numerous vendor agreements with various companies that perform functions involving personal data. The GDPR requires that controllers perform due diligence in selecting vendors, that controllers have certain provisions in their contracts with vendors, and that controllers monitor vendors for compliance.
Vendors – or “processors” under the terminology of the GDPR – also have obligations under the GDPR and can face penalties for failure to comply.
Under the GDPR Article 28, when selecting processors, controllers must make sure that the processors provide “sufficient guarantees” of their ability to comply with the GDPR.
There must be a contract between the controller and the processor. The GDPR sets forth a series of requirements for these contracts. This is an important thing to include, as many vendor agreements lack all of the essential elements.
The GPDR also restricts the transfer of personal data to other countries. There must be an “adequate level of protection” in order for data to be transferred to these countries. The US has no such requirement.
These provisions of the GDPR ensure that data doesn’t start losing protection as it flows from one organization to another and from one country to another.
(9) Attention-Grabbing Penalties
The GDPR has penalties that make upper management pay attention. Fines for the most serious violations can be as high as either 20 million euros or 4% of total annual worldwide turnover, whichever is higher. Less serious violations can involve fines as high as either 10 million euros or 2% of total annual worldwide turnover, whichever is higher. Overall, under Article 83, administrative fines are to be “effective, proportionate and dissuasive.”
These fines are very hefty. For many organizations, upper management will not devote significant attention or resources unless there’s a significant risk. The GDPR penalties create such a risk, and they drive greater resources. Good privacy protection depends upon upper management caring and devoting the necessary resources.
Far too many privacy laws lack strong enough penalties to make organizations take compliance seriously. The penalties must ensure that organizations are never be better off for having violated a privacy law.
(10) Data Protection by Design and Default
Unlike many privacy laws, the GDPR directly addresses design. As Professor Woodrow Hartzog demonstrates persuasively in his book, Privacy’s Blueprint, technological design plays an essential role in privacy protection, and laws often fail because they don’t address design.
Article 25 of the GDPR mandates that data protection be built in starting at the beginning of the design process. This means that data protection cannot be an afterthought and must be documented.
By default, only personal data necessary for each specific purpose of the processing should be processed. Default settings should be set so that personal data isn’t accessible to an indefinite number of people.
* * * *
For a long time, privacy has been a vague consideration for organizations. The result of this was that for many organizations, what it meant to protect “privacy” was just doing a handful of things, often easy things. There was no recipe for privacy, so one just threw in some ingredients and claimed it was done. But, in fact, it was only partially baked.
The GDPR supplies a recipe, one that is clear enough to get upper management to avoid leaving out key ingredients.
My main hope is that the EU regulators don’t snatch defeat from the jaws of victory by failing to effectively enforce the GDPR. Enforcement should be strong without being crippling, consistent and not arbitrary, rewarding of reasonable efforts and good faith, practical and strategic, and sufficiently frequent so as not to appear as a remote risk.
The GDPR is a great achievement, a major step forward for privacy protection. Time will ultimately supply the full verdict on the GDPR, but at this time, the GDPR sets the standard.
With so much worry and stress over GDPR, I think it is important to take a moment and admire it as a grand legislative achievement. It is an immensely intricate law, and it addresses an incredibly challenging set of problems. So, let’s pause in the freak out about May 25 and offer a toast to the GDPR – it deserves our praise and admiration.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals.