Today, the EU General Data Protection Regulation – or GDPR – comes into effect amid a great deal of anticipation and build-up. For the past few years, companies and policy makers around the world have been preparing for this legislation to come into force. It introduces higher and stricter privacy requirements and heavy fines for noncompliance. The interesting, yet challenging, part of the GDPR is that it applies to all organizations processing the personal data of subjects within the European Union, regardless of their location.
In this sense, the GDPR is an ambitious effort that seeks to fill a gap in the field of Internet privacy. Implementation by organizations around the world has not been easy as the statute is complex and, in many ways, difficult to enforce. This has been particularly so for small and medium enterprises (SMEs) and startups as the costs of ensuring compliance are considerable.
At the Internet Society, we are pleased to see privacy becoming a priority, not just a “nice to have.” As an organization with a global community, operating all over the world, we are among those who have been preparing for the GDPR. Doing privacy well is not easy, but it’s something we care about and believe everyone should have, no matter where they are.
Europe’s intention to create a much stronger and more robust privacy framework has been quite clear all along. For the past few years, Europe has hinted that its understanding of the right of privacy is not only different from many of its counterparts, but also one of its key priorities. The 2002 ePrivacy Directive, the 2014 landmark ECJ decision on the Right to be Forgotten, the 2017 ePrivacy Regulation proposal, and now the GDPR are all clear examples of a region determined to provide strong privacy protections.
All this has allowed Europe to achieve two things: first, provide some much-needed substance to the global debate on Internet privacy, which has long been a philosophical debate with few tangible results, and second, through the GDPR, Europe seeks to position itself as a de facto global regulator for privacy.
In the first case, what Europe has achieved is quite remarkable. For the many years of the commercial Internet, privacy outcomes have largely been left in the hands of companies that collect and use personal data, with the result that data collection and use has increased exponentially, often at the expense of users’ privacy. Recent disclosures from leading Internet companies suggest that society still hasn’t managed to strike the necessary balance between data protection and data monetization.
The GDPR seeks to change that by shifting the dynamics of personal data use towards users. It seeks to give them ultimate control over the processing of their data. For instance, the GDPR obligates companies to avoid the current practice of long, legalese, and unclear provisions hidden in the small print of their Terms of Reference. This will certainly change the dynamics of how privacy is presented and offered to users.
It is in the second point, however, where things start to become complicated.
By applying the GDPR to any organization around the world that collects personal data from any data subjects in the EU, Europe is setting itself up as the leading voice on Internet privacy globally. The question is, will Europe hold the limelight for long? Or will other countries and regions step up their own efforts to tackle privacy in the context of a global Internet?
There is also an element of extra-territoriality in the GDPR with the potential to have a “spill over” impact on larger Internet Governance considerations, including:
- Setting a precedent where countries could start imposing national or regional legislation that has global impact;
- Creating unintended clashes between different laws, which can result in unpredictability and lack of clarity, which could subsequently impede the roll out of global technology
- Producing “regulatory competition,” the notion of state actors seeking to command the international Internet regulatory environment.
These trends will inevitably create fragmentation.
How this will play out is yet to be seen, but it is likely that this will have repercussions for the future of Internet Governance. At the Internet Society, we believe in a global, open, interoperable, and secure Internet. We also believe in inclusive Internet Governance that strives to accommodate the interests of all stakeholders globally.
As the GDPR comes into force, therefore, we should work collaboratively with all stakeholders towards a more coherent global privacy framework that incorporates compatible global approaches about privacy and personal data protection. One that, just like the GDPR, puts users at the center of control over their data, backed by a global consensus to ensure a more predictable, consistent and enforceable privacy ecosystem.