
Photo by Kelly Sikkema on Unsplash
25 May 2020 marks the 2nd anniversary of the General Data Protection Regulation. Two years on, where are we now?
Photo by Kelly Sikkema on Unsplash
GDPR was hard won. PI, together with other civil society actors, fought from the beginning for a version of the law that offers the strongest rights and protections in the face of intense industry lobbying.
Two years ago, we committed to using GDPR to seek to hold to account the hidden data ecosystem - those companies that amass and exploit large amounts of our data for profit.
Here’s some of the action we’ve taken:
Two years on our main concern is the lack of implementation of GDPR and the enforcement gap. Our work shows numerous infringements of GDPR but controllers are not being sufficiently held to account. These infringements do not only further exacerbate the opacity surrounding the online data ecosystem but also constitute a major obstacle to the effective exercise of data subjects’ rights, effectively undermining the protection afforded by GDPR and people’s trust in the law to protect their fundamental rights.
Urgent action by data protection authorities is needed to make GDPR a reality in practice.
We are deeply concerned that GDPR protections are being undermined by the way that Member States have implemented derogations (the parts of GDPR which could be changed at national level).
Of particular concern are:
Lawful basis, stretching the interpretation of the conditions set out in Article 6 and introducing broad conditions for processing special category personal data under Article 9 which are open to exploitation, including for example loopholes for political parties.
Exemptions, introducing wide and over-arching exemptions under Article 23 removing the protections of GDPR from huge amounts of processing with consequences for people’s rights. For example, is the immigration exemption introduced in paragraph 4 of Schedule 2 to the UK’s Data Protection Act 2018.
Collective redress, the majority of Member States decided not to implement the derogation in Article 80(2) of GDPR, with hugely damaging consequences for the protection of personal data. Many of the infringements we see are systemic, vast in scale and complex and thus impossible for an individual to challenge. Yet without Article 80.2 there is no effective redress in place.
GDPR does not and cannot operate in a silo. Just as the right to data protection interacts with other rights, it is essential that other legal frameworks bolster the protections of GDPR. A key example of this is the draft ePrivacy Regulation. Civil society has consistently called for delivery of a strong Regulation.
Today, we join civil society across Europe, in writing to the European Commission to call for enforcement, the closing of loopholes and the bolstering of other legal frameworks to support GDPR.
We’ve also written to the UK regulator, the ICO to express our disappointment at the lack of enforcement action and encourage action on ad tech, data brokers, political data exploitation and the use of mobile phone extraction by law enforcement as well as close scrutiny of responses to Covid-19.
In this time of crisis a strong data protection framework like GDPR should facilitate the trustworthy use of data where necessary and limit the exploitative responses of governments and companies to Covid-19. Sadly, this is not always the case. We see companies already infamous for their data practices taking advantage.
It’s still just the beginning and we will continue to fight with partners around the world to make data protection a reality in practice.