The EU’s General Data Protection Regulation (GDPR) is good news for consumers. But its promise will only materialise if industry changes its mindset about data protection and if the law is supported by a strong compliance and enforcement culture, writes Ursula Pachl.
Ursula Pachl is deputy director General at BEUC, the European consumer organisation.
Finally, the General Data Protection Regulation (GDPR) is here. Do not let anybody fool you. This is good news for consumers and for the digital economy. But to a great extent it will depend on two “ifs”: first, the GDPR is a promise which will only materialise if industry changes its mindset about data protection and, second, if it is supported by a strong compliance and enforcement culture.
The GDPR has been one of the most lobbied and talked about pieces of EU legislation in recent history. It has been in the making for over 4 years and another two have passed for it to enter into application. It comes with countless myths and widespread fearmongering: “It will kill digital innovation”, “It will only benefit big tech giants”, “Consumers do not care about privacy”, “It will create consent fatigue” and a long “etc.”
It is time to put all these myths aside and focus on what really matters now. The GDPR must be a game changer which will help stir the digital economy into a new direction. One which is more respectful of our fundamental rights and values. One where consumers are not simply guinea pigs in a data mining farm. One where privacy is not a luxury that only a few can afford. We have high hopes this is where the GDPR will ultimately lead us.
But getting there is going to take time and effort. First of all, many companies will need to change their mindset. Privacy protection must be integrated as one of the core elements of the products and services that they provide to consumers. Those who rely on the commercial exploitation of people’s personal data must adapt their business model.
The ‘take-it or leave-it’ culture – only when consumers give up their privacy they can use the service – must cease to exist. Consumers should no longer have to choose between using a service and giving up their privacy. Widespread commercial surveillance is not only decimating our privacy but is also having disturbing effects on our freedom and our democracies. The Facebook/Cambridge Analytica scandal and all its ramifications are (yet another) wake-up call.
Secondly, we need to develop a strong enforcement culture. We can have the best law in the world, but if it is not complied with and is not enforced effectively, it is worth nothing. This has often been a weak spot in the EU until now.
Companies could afford to take a relaxed approach towards compliance since the consequences of not respecting the law could in many cases be considered negligible. We trust that data protection authorities, with their reinforced powers and new enforcement tools, will take a strong stance from now on. Our members, national consumer organisations, will also keep a close eye on the market and will not hesitate to act to defend consumers’ privacy.
Last but not least, we all have to continue working to make sure people are aware of why privacy matters in the digital age and to make sure they are familiar with their rights under the GDPR. People have rights, they need to exercise them.
All the privacy challenges we see today will not be solved miraculously by the GDPR from one day to the next. Even if we have strong rights, we are still largely dependent on the goodwill of all those companies whose services we use every day. Some of them are so dominant in our lives that we do not really have a choice of not using them.
It is going to take time, public pressure, brave enforcers and some landmark court rulings until the market changes its mindset. The commercial exploitation of our privacy is not the only way to run a business in digital markets.