The EU General Data Protection Regulation (GDPR) is now only months away from entering into force (May 2018). There have been numerous debates as to how it will change the landscape of data protection in the EU and beyond. But looking at the broader picture, the GDPR brings an important aspect into sharper focus: the integration of human rights into business practices.
Most of the discussions surrounding the GDPR are related to the strict terms it will introduce when it comes to the protection of personal data, the rights that users will have, and how these will be ensured. In this regard, the new law introduces several obligations for data controllers (those who decide which data should be collected and how it should be processed) and data processors (those who hold or process the data).
They are, for example, asked to put in place appropriate technical and organisational measures to ensure the security of the personal data they process. If, despite such measures, personal data breaches occur, controllers need to notify the data protection authority, and in some cases, the affected individuals, when the breach risks affecting their rights and freedoms. Implementing these provisions can be a difficult task, and this is why, earlier this month, Article 29 Working Party published a set of draft Guidelines on personal data breach notification (under public consultation until 28 November).
From a broader perspective, the GDPR is one of the first legal acts to firmly introduce the notion that digital rights need to be integrated into the business operations and strategies of companies.
The intersection between business and human rights is not a new concept. The UN has already made progress in this area, through, for example, the UN Guiding Principles on Business and Human Rights. The importance of creating businesses that are built on respect for human rights has been mostly related to their traditional, 'offline' practices. When it comes to rights that affect their online conduct, such as privacy and freedom of expression, their integration into business has been less straightforward. In this context, the GDPR stands out as one of the first instruments that provides a concrete answer on how to practically incorporate human rights – in this case the right to privacy and data protection – into businesses’ online operations.
To start with, the GDPR is imposing a set of specific rules and requirements for handling personal data. The implementation of these requirements has a significant impact on how business operations are designed. This is illustrated, for example, by the privacy-by-design concept which requires businesses to implement human rights standards from the very beginning of the production process. The privacy impact assessment, which becomes mandatory, is another illustration. The right to privacy and data protection will therefore become a paramount factor when developing new business plans and strategies.
Another important aspect of the GDPR relates to penalties and sanctions. The biggest concern of many Internet companies operating in the EU has traditionally been the consequences of non-compliance with competition law and other areas that are related to trade and relations in the internal market, due to high penalties and strict sanctions. The well-known penalty of 10% on worldwide turnover for undertakings in breach of EU competition law is one of the most severe, and indicates the importance of competition law for the EU and its member states.
Interestingly, the GDPR introduces similar sanctions, which are not so common in the human rights area. The maximum fine of €20 million, or 4% of a company’s annual global turnover (whichever is higher), for not complying with certain GDPR provisions, highlights the significance that the EU also places on data protection. In addition, the fact that the EU has opted for a Regulation for privacy and data protection (which is directly applicable to member states), puts more emphasis on human rights and related responsibilities for businesses.
There are different arguments that seek to explain why the EU has chosen this approach, given that data protection has become a business issue with serious implications for the internal market, and that data has become a main trade unit. The reality is that the GDPR’s overarching aim is the protection of the rights of individuals where it concerns the handling of their personal data. Therefore, the core of the GDPR is indisputable in the area of human rights, regardless of its implications in other fields. The biggest contribution that the GDPR brings to the human rights area, therefore, is the strong link it creates between human rights and business practices.
The GDPR will be one of the topics discussed at Diplo's upcoming annoversary conference, Future of Diplomacy, on 17-18 November in Malta. Register and find more details on the conference website: http://15years.diplomacy.edu
This article was originally published in issue 25 of the Geneva Digital Watch newsletter.