In the digital age, characterised by the growth of cloud computing and remote access, the importance of protecting personal data has gained new significance. Privacy has become one of the pivotal issues in our time, which does not only affect legislators or technology innovators, but has become relevant to every household, who has internet access or has welcomed smart gadgets home1.
Undoubtedly, technology has played an important role in the emergence of information privacy law. Legislation has been drafted, over the past years, in response to a change in technological trends which have seen an increase in the collection, dissemination and use of personal information. However, initial notions of privacy law developed before the internet boom. Granting importance to the personal and sensitive data of individuals has been around since time immemorial and the need to protect one’s identity seems to have been instilled in individuals since before the Information Age.
European Union – Leading Ahead
Being one of the largest markets in the world, and assuming a leading position in electronic commerce, the European Union has taken an active role in privacy law. Considered as ‘the most consequential regulatory development in information policy in a generation2 the General Data Protection Regulation, May 2018 brings personal data into a protective regulatory regime. Although perhaps, ideas embodied in the GDPR are not entirely European, nor novel in nature, the Regulation has proven to be a pinnacle legislation. Albeit, in weaker and less prescriptive forms, some notions found in the GDPR are also found in US privacy laws and in Federal Trace Commission settlements.
GDPR – Beginnings and Growth
Superseding the Data Protection Directive 95/46 EC the regulation relates to the processing of personal data of individuals (or, also known as data subjects) who are within the EEA. It applies to any enterprise, irrespective of its location which processes personal information of individuals located within the EEA. Since its early inception in 2012, the regulation has undergone rounds of discussions and negotiations, however its main aim has been vital throughout, as is very much a part of the regulation – to give individuals control over their personal data and to simply the regulatory environment for international business by unifying the regulations with the EU3 .
GDPR – Principles
Essentially, personal data of individuals may not be processed without a lawful purpose. The GDPR lays down what are to be considered as lawful processes for data processing, which shall be discussed in detail in following publications.
Following years of negotiations and consultations, the European Union considers the GDPR as an active piece of legislation which has proved itself in its initial years into force. It is estimated that in two years following the entry into force of the legislation, in May 2018, until May 2020, over 4.3 million citizens and businesses have consulted the European Commission’s online portal on GDPR. This series of publications shall be delving deeper into the practical implications of data privacy.