The General Data Protection Regulation: Its Main Features, Its main Limits: What Can We Draw From It?
A regulation in the field of data protection: what does it change ?
Data protection started to get attention to the EU in 1995 when the first policy to bring minimum standards of security was introduced within the European Union. But, over two decades, lots of things have changed, especially the relationship between our daily occupations and data. Consequently, to address a serious policy for data protection for good, the European Union (EU) introduced 2016 the general data protection regulation (GDPR). This regulation, as all other European regulations are; first, its content is mandatory to be respected by the 27 Member States of the EU; and second, its measures are directly applicable to all the countries of the EU. In light of the regulation one of its main provisions aims at strengthening consumer rights. However, to what extents? how may it also affect other rights that interfere with data such as on the media? This is what we are going to discuss throughout this article.
‘protection of consumer rights’: What does it concretely mean for EU consumers?
Our consumer behaviour has changed: now, many of us buy goods online and wait for them to be delivered. Consequently, if our consumer rights may be invoked in person, they should also be invokable online, shouldn’t they? Therefore, to cope with this new way of consuming, the GDPR aimed at stronger consumer rights.
Indeed, let’s say you are shopping online to offer a gift to your nephew for Christmas. You go on Amazon to choose whatever you like. Before having access to the online shop, a page will appear to ask you to accept or decline cookies. In other words, do you allow Amazon to track your consumer behaviour on their website. If you do not want to, you can adjust the cookies to decline them, which means that your personal data will be erased, and no longer processed. In another scenario, if you would accept the cookies, Amazon would be forbidden to sell your data to as many companies as its wants; this amount is limited. Furthermore, a penalty for non-respect of this rule has been settled and can result in fines, of up to 4% of global annual turnover. Another company than Amazon; Tik Tok, is currently on a trial because it failed to comply with the GDPR’s consumer protection provisions. The company risks a fine of over 25 million euros for failing to protect the privacy of children on the internet. However with a total revenue of 532 million in the EU in 2021 does it actually prove efficiency in the long-run to tackle the risk of privacy exposure of children on the internet?
A better framework to protect EU citizens online…
To sum up, even though the GDPR constitutes an important framework for the data protection of European citizens, its implementation was nonetheless debated. Indeed, as mentioned in the introduction of our article, some provisions of the GDPR may collide with fundamental rights, more precisely the right to freedom of expression and information.
… to the expense of the right to information and expression?
Although the GDPR may consist of a positive policy at the first sight for consumers, its content may jeopardise the right to expression and information. To exemplify, after the publication of an article by a Hungarian media revealing that Orban’s party has been illegally funded by one of his political partners, a political scandal occurs. Because of the chaos it could create in the political scheme, this illegal funder could decide to remove this article by invoking his/her ‘right to be forgotten‘. It would not be that easy though, because the GDPR specifies that this specific right cannot apply when it is for the sake of public interest. Even if this example is fictive, it addresses the following issue: it is the Member States’ responsibility to “reconcile the right to the protection of personal data with the freedom of expression and information”; not the EU’s responsibility. Consequently, leaving the responsibility to the Member States to balance between the right to expression and ‘the right to be forgotten’ results in a loophole to “introduce or maintain disproportionate restrictions on press freedom” for the sake of individual data protection.
What conclusion to draw from the regulation?
Throughout our analysis of the GDPR, we can address two important point regarding the EU in general. First, we can say that the aim of the regulation to give European consumers more rights and freedoms online has been achieved with success, thanks to the GDPR. However, on the other hand, as often criticised for, the EU has failed going beyond protecting consumers. As a result, it shows the limit of the current functioning system: the EU is an added value to the Member States, which stands back as soon as there is a minimum of room for them.
I like the design of your blog. It makes it feel “light” I guess and makes reading it easier.
Thanks a lot for your comment. I tried to make it as easy as possible. when you look at newspaper, most of the subject they address are actually really complex, but they try to give an overview of the issue so they can give their point more specifically.
Thanks a lot !
Hi Boudaud, I like the language you use in your blog, it makes it very easy to read and understand the topic. I would add a bit more on the graphical part of the blog but overall it looks good. I have a question for you though, what is your personal opinion on the idea that the EU has failed on going beyond protecting its consumers. I am very interested in your answer!
Thank you so much bouman! I really appreciate your comment, it is really helpful. I think you are right about the graphical part, I will follow your advice! this is an interesting question… to me, the EU’s failure is not due to the protection of data itself, but actually to the struggle of competences in the relationship between the Member States, and EU treaties brought up by the Member States themselves.