The Internet and Data Protection Laws are two interconnected concepts that are impacting our lives significantly. A recent need that has emerged is the protection of civilians' personal data in the digital era, so everyone can use the internet freely but also with having a sense of online security. The issue that is emerging though is how the law can keep up with how fast technology is progressing, since 'laws move as a function of years and technology moves as a function of months'. On 25th May 2018, the new GDPR regulation became enforceable; thus it must be adopted by all member states. Since then, several have argued, whether this regulation will have positive or negative consequences for the countries involved. Undoubtedly, this regulation can have a positive impact, primarily because the protection of our data online is based on the fundamental human right of privacy, which is a crucial matter for our democracy that should be not taken lightly and needs to be properly regulated.
A core aspect of the new GDPR regulation is how the definition of 'consent' for user's data has changed, stating that the user should consent only when he/she is adequately informed and that the standards should be raised when it comes to users' sensitive data. This is important, since many civilians provide their consent, without really realising how their data can be used for unlawful purposes. In a very controversial case, widely known as the 'Cambridge Analytica scandal', personal online information was used for unethical purposes. More specifically, this company was accused that it used the information it received from Facebook users to develop strategies for certain political campaigns. Evidently, the misinformation of individuals regarding their online privacy rights can be used as a weapon against them with serious consequences such as altering the outcome of elections.
Another aim of this regulation is to introduce the harmonisation of privacy rules for the parties involved. This pursuit is one that will, in theory, enable justice to be served optimally when a data privacy breach occurs. However, there are concerns, whether it can be successfully executed and how the laws will be applied, for example, to a non–EU based company. At some point, the legislators wanted to regulate non-European webpages that track the habits of European people online using cookies and related methods. It has been argued that this might have been possible by employing GDPR's jurisdictional test. The relevant factors that are evaluated in these instances include: 'a) the place where the data controller is established, b) the place where personal data is stored or processed, c) the place where the allegedly wrongful act occurs, d) the residence of the data subject and the use of cookies or similar technologies in another state.' It should be highlighted though, that the process of examining in cyberlaw cases 'whether a jurisdictional basis should be exercised can be quite complex.' Moreover, it is worth noting that, for example, in the US the jurisdictional test will not apply if the right to be forgotten was to be exercised since it goes against the First Amendment rights of the publisher.
A new fundamental right of the General Data Protection Regulation is the right to request erasure. This right is crucial to an individual's privacy protection online since people should be able to erase information available about them online, especially information that may potentially damage their reputation. So, will this right become a global one? The answer might be a negative one. In a recent case that involved Google, the Court of Justice of the European Union decided that the tech company must remove data only from European countries. However, it is not obliged to do the same for searches outside the EU. Some consider this result in a positive light arguing that it can be viewed as a development for freedom of expression and believe that every country should have its own regulations regarding this matter. Thus, it remains to be seen how the application of this rule will continue to evolve in the future.
In conclusion, one thing is certain, that when a law is reformed, there will always be two opposing sides criticising it and weighing the consequences of its application. In this case, this regulation made a significant change to the existing legal framework, that was much needed to modernise the legal landscape surrounding our online privacy. In summary, key changes that were introduced and debated in this legal piece were the new standards for consent, harmonisation of data protection rules, the right to be forgotten and whether this regulation will be globally implemented.
Bibliography
Instruments
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119, 1–88
European Convention on Human Rights (ECHR)
Journals
Dorraji S.E., Barcys M., ‘Privacy in Digital Age: Dead or Alive?! Regarding the New EU Data Protection Regulations’ (2014) 4(2) Social Technologies <doi:10.13165IST-14-4-2-05> accessed 19 September 2019
Goddard M., ‘The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact’ (2017) 59 (6) International Journal of Market Research <doi: 2501/IJMR – 2017 – 050> accessed 20 September 2019
Wimmer K., ‘The Long Arm of the European Privacy Regulator: Does the New EU GDPR reach U.S. Media Companies?’, (2017) 33(1) Communications Lawyer <https://www.cov.com/-/media/files/corporate/publications/2017/09/the_long_arm_of_the_european_privacy_regulator_does_the_new_eu_gdpr_reach_us_media_companies.pdf> accessed 25 September 2019
Wolters P.T.J., ‘The Security of Personal Data under the GDPR: A Harmonized Duty or a Shared Responsibility?’ (2017) 7 (3) International Data Privacy Law <doi:10.1093/idpl/ipx008> accessed 21 September 2019
Other Materials
Barzic G., Chee F.Y., ‘You have the Right to be Forgotten by Google - but Only in Europe’ Thomson Reuters (Luxembourg, 24 September 2019) <https://www.reuters.com/article/us-eu-alphabet-privacy/you-have-the-right-to-be-forgotten-by-google-but-only-in-europe-idUSKBN1W90R5> accessed 26 September 2019
Kuchler H., ‘Cambridge Analytica Case Raises Data Concerns’ Financial Times (London, 20 March 2018), <https://search.proquest.com/docview/2027409257?accountid=8155> accessed 22 September 2019
Marsh S., ‘‘Right to be Forgotten’ on Google Only Applies in EU Court Rules’ The Guardian (UK, 24 September 2019) <https://www.theguardian.com/technology/2019/sep/24/victory-for-google-in-landmark-right-to-be-forgotten-case> accessed 26 September 2019