Applicable from May 2018, the General Data Protection Regulation (GDPR) has revolutionised the way we collect and use personal data. It also explains why we can no longer open a web page without being bombarded with questions.
Back in the beginning: Franco-German origins
One of the ancestors of the GDPR is without doubt the French “information and freedoms” law of 6 January 1978, which aimed to protect individuals from having their social security number stored unnecessarily.
“But it is advances in information technology that created an international dimension,” explains Sybille Boese-Tarsia, Berlin-based lawyer specialising in personal data protection.
With the arrival of the first personal computer networks, data started circulating between countries and cross-border cooperation became essential. An overriding framework was adopted by the OCDE in 1980 and a European directive implemented in 1995, both heavily inspired by the French law.
Germany is also a pioneer in this area based on “a very strong liberal tradition that treats one’s private life as sacred.” The first federal law for data protection, the Bundesdatenschutzgesetz (yes, really), was created in 1977 and refined by a judgment from the Constitutional Court that established an individual’s right to “digital self-determination”. Remember that Germany was the first country to force Google Street View to blur the homes of citizens who didn’t want their building to appear online.
The United States: partner and enemy
By publishing the GDPR in May 2016, Europe adopted a new approach based on risk. “Until then, companies only had to provide a limited amount of information”, describes Sybille Boese-Tarsia.
From that moment onwards, the focus moved towards preventing and detecting infractions, with far more severe consequences.
Yes, in some countries, like France and Germany, not getting permission to use personal data was already illegal but this wasn’t really monitored, and fines never exceeded €300,000 – nothing to set Google’s boots shaking!
Now, fines can reach €10 or even 20 million or 2%-4% of annual turnover, depending on the seriousness of the infraction.
This change reflects, among other things, a contradictory relationship with the United States: pioneers in understanding impacts on our private life, allies in circulating and managing data, but also potential enemies as shown by the mass surveillance orchestrated by NSA.
The 9 principles of the GDPR
- Transparency & Loyalty: collecting any kind of data is forbidden unless permitted by the user or legislation. Users must be informed and give prior consent.
- Minimisation: only the necessary data should be collected.
- Proportionality: the relationship between the data and its purpose. “Each piece of information is collected for a unique, relevant and precise purpose,” insists Sybille Boese-Tarsia.
- Security: technical measures must be implemented. Data must remain confidential.
- Reactivity: the data must be precise and regularly updated to remain so.
- Information: the people involved have the right to rectify, transfer or delete their personal data.
- Time-limited: an appropriate storage period for each type of data must been established, sometimes subject to specific legislation e.g. taxation or employment law.
- Territoriality: the GDPR applies to all organisations, whatever their nationality, processing data coming from the European Union.
- Co-responsibility: in the eyes of the law, both the organisation processing the data and its service providers are responsible.
But the GDPR is not limited to a list of principles! To find out everything, download our ebook below.
About Sybille Boese-Tarsia
Currently a lawyer registered at the Bar of Berlin, Sybille Boese-Tarsia began her legal career working privately in Berlin and Brussels, before joining various practises run by Belgium, English and Italian lawyers. For more than 20 years, she worked within the legal department of European, Asian and American companies.
In parallel, Sybille Boese-Tarsia has published numerous articles, taken part in international conferences and organised legal training relating to anti-trust laws and data protection. She is also certified as an IT and Freedoms correspondent (CIL) and Data Privacy Officer (DPO) for the European Union.
Understanding GDPRI download my copy