We’ve already talked about this: unlike any other person inhabiting the planet before the advent of internet, you have the dubious privilege to live simultaneously both actually and virtually.
By Iffy Kukkoo
01 Sep, 2017
We’ve already talked about this: unlike any other person inhabiting the planet before the advent of internet, you have the dubious privilege to live simultaneously both actually and virtually. There are folders on your actual desk at work, but also on your desktop computer; there are a TV, a camera, a bin and a library in your room, but also amid the folders and applications on your laptop. Nothing wrong, right? Our lives have merely expanded, the physical limitations have been theoretically eliminated: I can have millions of epubs and pdfs on my computer, but only few hundred books in my library.
But, it gets a bit weirder from thereon: you have an ID and a bank account in your real life, but you have few IDs and bank accounts on your computer as well; you have friends you see once in a while in person, but many more you chat with via Skype, some of which you will never even meet; you may even be married in your real life, but have a different partner you share your most intimate desires with on Facebook or some dating site.
And this is where it gets really frightening: as time went by, our virtual life seems to have taken over our real life. When was the last time someone asked you for a printed portfolio, instead of a LinkedIn account? Would you prefer handing out a report to your boss written on a sheet of paper, or send him a Microsoft Word or Google Docs file? Does it really count if you’re in an actual relationship if your Facebook status claims otherwise?
But, wait a minute! How would you feel if you know that someone you don’t really know has a copy of your key, can walk into your room whenever he/she wants, can check both your bank account info and journals on a whim, and can even share some of your documents and photos with a third person if that person is strong enough to force him or crafty enough to steal them?
Well, that’s exactly how your second life, your virtual life, the one on which you’re spending most of your time, looks every single minute. Even this present moment is no exception: have you ever wondered how many people know that you’re reading exactly this text at exactly this hour? Would you feel comfortable if you turn your head and see few people staring at your monitor unblinkingly?
Neither would we.
And it seems that, even though somewhat belatedly, neither would the lawmakers.
It may be the rise of cyber criminals and few very popular leaks that finally ticked them off, but, nevertheless, few years ago, Europe’s lawmakers decided to overhaul the existing data protection laws. Back then, the term “Brexit” wasn’t even invented yet, and, probably, if it hadn’t happened, we would have talked about a law instead of laws, about General Data Protection Regulation (GDPR) instead of GDPR and Data Protection Bill (DPB).
But, Brexit did happen and Britain had to find a way to implement Europe’s data protection law, even if in a circuitous manner. So, in a way, DPB is a truncated version of GDPR, intended for the United Kingdom only. Being designed to align with the GDPR, it is UK’s way to by-pass Brexit and put GDPR into practice on British soil.
But, what is GDPR?
By definition, GDPR, or Regulation 2016/679, is a regulation on the protection of people’s privacies with regard to the processing and movement of personal data, repealing EU’s 1995 Data Protection Directive 95/46/EC (DPA). Two important things to note already: 1) GDPR is a regulation, not a directive, and 2) as a legislative act, it is not the first of its kind.
The distinction between a regulation and a directive is an important one. Both are primary types of legislative acts in the European Union, but as opposed to a directive which necessitates all EU member states to achieve a particular result without dictating the means of achieving that result, a regulation is a legal act which becomes instantly and simultaneously enforceable as law in all member states of the European Union.
In other words, come 25 May 2018, GDPR will supersede a two-decade old act which is currently in force; being a regulation, it will also institute a single set of rules which will apply to all member states.
In fact, it seems that the text of the old Directive was not as problematic as the fact that it was a directive. And this is exactly how GDPR came to be. According to the 2015 Proposal for GDPR (7):
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
Accordingly, even though there are few major differences between the two legal acts (the definition of personal data, the extent of the law, the size of the penalties, the requirement for positive consents and a compulsory data protection officer), the most fundamental has to be the simplification, the unification, and the centralization of the laws throughout the Union.
To put it into layman’s terms: next year, we’re moving from suggestions to orders, from caretakers to law enforcement agencies, from companies who own your personal data to companies responsible to protect it for you.
Then again, “we” means something different after Brexit. But, no worries – Britain’s got it covered this time. Not that it had a choice, to be honest.
One of the most important aspects of GDPR is its potential global impact. GDPR explicitly states that it applies not only to EU organizations, but also to companies based outside the Union if they collect or process personal data of EU residents. What this essentially means is that the GDPR is, more or less, a worldwide law.
In other words, even if you’re a UK- or a US-based company, you must still be compliant with the GDPR if you promote your services within any of the EU member states. Bearing in mind the fact that UK will be a full member of the EU at least until March 2019, and all EU rights and obligations – including GDPR itself between May 2018 and March 2019 – should remain in force until then, the DPB is a legislative act which guarantees that nothing will change afterwards, insofar data protection is concerned.
Matt Hancock, the British Minister of State for Digital and Culture, acknowledges this in the Foreword to the 7 August 2017 DPB Statement of Intent: