Europe safeguards the personal data of users with multi-million euro fines

Compliance with the new General Data Protection Regulation (GDPR), a law promoted by the European Union to establish a single criterion for processing personal data, will become mandatory on 25 May. The basic pillar of the legislation is user protection, with multi-million euro fines for companies and institutions if they do not comply with its provisions. Specifically, the GDPR envisages fines of up to 20 million euros or 4% of the annual turnover of the non-compliant party.

The aim is to put an end to widespread practices such as receiving e-mails with advertising owing to the mere fact of having visited a website to purchase something, or receiving messages via WhatsApp from a city council without having consented to such notifications. The GDPR envisages numerous changes, key among these:

• Unequivocal consent: until now tacit consent was the norm, in other words, companies "deemed" that users were giving their permission to use their personal data unless they explicitly refused. With the new legislation, this has been reversed and companies must obtain unequivocal and verifiable consent.
• Transparency of information: requests to obtain personal data must be comprehensible and totally transparent with regard to the reason said data is being requested.
• Right to be forgotten: users need to have control over their data at all times, therefore, as well as the right of access, rectification, deletion and opposition, people will have the right to be forgotten, which implies a strengthened right to cancel. The aim is to also allow the erasure of data in other locations where it could be processed (such as the trail left behind on the internet and in cloud storage services).
• Data protection officer: in several cases, companies that process personal data will have to appoint a data protection officer (DPO), who will need to be familiar with the legislation and ensure its compliance and guarantee the security of the data it manages.

A new model

Experts from the UOC Faculty of Law and Political Science agree that the GDPR represents a new model in personal data control. Miquel Peguera, an expert in internet law, says that until now "applicable legislation was unable to adequately protect the rights of interested parties and believes it is necessary to offer greater protection". Mònica Vilasau, professor of Civil Law, explains that "the biggest change is the introduction of the principle of proactive responsibility, since it imposes increased diligence upon data controllers". The expert in data protection says that companies and public authorities not only have to comply with the legislation, but must also "demonstrate a willingness and adopt measures to effectively comply with the legislation".

In this regard, the course instructor Carles San José explains that one of the most significant aspects of the new legislation is "the idea of focusing on the risk, since the measures adopted to guarantee compliance with the GDPR must consider the processing, and the risks to the rights and freedoms of persons. The security measures to be implemented will have to be adapted based on these risks in order to minimize them".

A challenge for public authorities

The public sector is one of the actors affected by the change in legislation that will have to make the biggest effort to adapt to the GDPR. Carles San José explains that all public authorities will have to apply the legislation "with the same intensity", irrespective of their size, and this may create "difficulties in public authorities with fewer resources (such as small town councils), as was the case with transparency legislation, which did not consider these potential differences either and imposed the same obligations on all government agencies". For her part, Mònica Vilasau points out that "public authorities have a huge task before them, which will have to go hand-in-hand with the full implementation of the legislation relating to electronic administration".

The savings may not offset the cost

Miquel Peguera explains that "the cost of complying with the GDPR is high, given that it increases the obligations for processing personal data, in particular by demanding proactive impact assessment measures". Despite this, for companies and public authorities, the legislation means the elimination of an official obligation that has existed until now, namely to notify the authorities of the existence of personal data files.

Although some obligations have been eliminated, "it is true that the implementation of certain requirements of the GDPR may lead to increased financial costs in companies, for example the need to have a data protection officer, although not all companies are required to have one", San José explains. In addition, "there are other obligations, such as conducting an impact assessment, keeping a register of activities, implementing the privacy principles from the design, etc, and all this has a cost too", Vilasau says.