The road to the European Union’s General Data Protection Regulation has been a game of catch-up with legislation responding to shifts in the technological landscape.
Sweden was the first country in the world to enact a national data protection law on 11 May 1973, in response to public concerns around the increasing use of computers to process and store personal data. More than 20 years later, in 1995, the internet was the realm of early adopters loading up Usenet newsgroups in cyber-cafés. You could order a video tape to explain it all, because you certainly couldn’t Google it or ask Facebook or Twitter for help.
This is the environment in which Directive 95/46/EC was adopted, on 24 October 1995. Known as the European Union’s (EU) Data Protection Directive, it centred on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The 1995 directive was implemented in 1998. Article 29 of this directive set out the composition and purpose of the Article 29 Working Party (WP29), which was launched in 1996.
A 2009 public consultation on the protection of personal data received 168 responses and set the EU on the road to reform. In June 2011, the European Data Protection Supervisor published an Opinion intended as “a comprehensive approach on personal data protection in the European Union” and, in January 2012, the all-new General Data Protection Regulation (GDPR) was proposed. These new rules set out to strengthen online privacy rights for individuals but also played toward the goal of boosting Europe’s digital economy.
It was March 2014 when GDPR went up to a vote at the European Parliament, receiving strong support with 621 votes in favour, 10 against and 22 abstentions. Further negotiations on the final text followed and, by the close of 2015, the European Parliament, Council and Commission had reached an agreement.
The WP29 issued an action plan for GDPR’s implementation in February 2016 and the regulation entered into force on 24 May 2016. Its date for implementation was set at 25 May 2018, 20 years after implementation of the original Data Protection Directive.
Ireland’s data protection history
The first data protection legislation to be introduced into Irish domestic law was the Data Protection Act of 1988, which led to the establishment of the Office of the Data Protection Commissioner (ODPC) in 1989. The 1995 Data Protection Directive was later transposed into Irish domestic law in 2003.
In its first decade, the ODPC struggled with public recognition. Its 1997 annual report noted high levels of concern about information privacy but only 2pc of survey respondents mentioned the ODPC when asked to name organisations dealing with privacy complaints.
One of the primary requirements of the 1988 Act was for certain categories of ‘data controllers’ and ‘data processors’ to register with the ODPC, which continues as a publicly available register. The number of entries has grown from 1,194 in 1989 to more than 7,000 today.
‘The ODPC investigated just 25 complaints in 1990. Last year, a record 2,642 complaints were lodged and handled’
The ODPC investigated just 25 complaints in 1990. These numbers began to broach four figures in the late noughties and, last year, a record 2,642 complaints were lodged and handled.
In that first decade, complaints were chiefly concerned with consumer credit and unsolicited direct marketing. The latter issue led to oversights for mail and telephone marketing. By 2006, 39pc of complaints were for unsolicited electronic communications and, in the late noughties, the ODPC fought to curtail complaints of unsolicited marketing text messages from the premium-rate SMS sector through prosecution proceedings brought to the District Court.
And so, with each passing year, new technologies prompted new concerns. Smart card technologies first popped up in 1995, along with loyalty card schemes and RFID technology. E-Government initiatives became a discussion point in 2000 and biometric systems appear in several annual reports from 2001 onwards, while social networking was first broached in 2006.
‘Some years after the right of individuals to access their personal data was granted, it still seems to come as a complete surprise to some data controllers that such a right exists’
– OFFICE OF THE DATA PROTECTION COMMISSIONER, 2010
It wasn’t until the 2003 Data Protection Act that the ODPC was granted the explicit power to conduct an inspection of an organisation and examine or extract a copy of personal data. Just six such audits were conducted in 2003. Last year, almost 100 audits or inspections were carried out.
Interestingly, considering the provisions GDPR intends to offer individuals, the ODPC’s annual reports from the 1990s illustrate the lack of knowledge and reluctance data controllers had when it came down to a request for a copy of personal data. In a 21-year retrospective published in 2010, the ODPC wrote: “It is still the case some 21 years after the right of individuals to access their personal data from whoever is holding it (public body, private sector, voluntary organisation etc) was granted that it still seems to come as a complete surprise to some data controllers that such a right exists.”
What’s next with GDPR?
GDPR will be implemented from 25 May 2018. The WP29 will be replaced by the European Data Protection Board. This independent body with membership comprising all European data protection authorities will work to ensure the consistency of the application of the GDPR throughout the EU.
Other regulations will require an update in alignment with GDPR, such as the ePrivacy Directive and Regulation 45/2001, which applies to the EU institutions when they process personal data. Member states are entitled to provide specific rules or derogations to the GDPR, where freedom of expression and information is concerned, or in the context of employment law or the preservation of scientific or historical research.
‘Consent is key in the framework of GDPR. It must be freely given, informed and unambiguous’
GDPR is a far-reaching and multifaceted regulation, but some of the headline changes are the introduction of fines up to €20m or 4pc of company turnover, and the establishment of some new rights for the individual. This includes the right of data portability (to receive your personal data from an organisation in a form that can be easily shared with another), the right not to be profiled unless necessary by law or a contract and the right to be forgotten by request that an organisation delete your personal data.
Consent is key in the framework of GDPR. It must be freely given, informed, unambiguous and – in the case of sensitive data – explicit, and individuals may withdraw their consent at any time.
Organisations processing personal data must take measures to ensure that the data is protected by default, with necessary technical and organisational measures in place, and protected by design, ie with privacy and data protection built into the design and architecture of systems and technologies. Organisations outside the EU must also comply and designate a representative in the EU in order to collect data on its citizens. In the event of a breach, organisations must notify their data protection authority within 72 hours, unless the breach is unlikely to pose a risk for individuals.
GDPR will also lead to the appointment of data protection officers at organisations where required (eg public sector organisations and those who conduct regular and systematic monitoring of personal or sensitive data on a large scale). We will likely also see the introduction of certification marks from data protection authorities to those organisations making the grade, reinforcing consumer confidence with an assurance of protection.