The monthly law journal which covers all aspects of data protection and data privacy: data transfer & outsourcing, marketing and e-marketing, freedom of information (FOI), employee monitoring, privacy compliance, online data acquisition and consent, personal data, website compliance and emerging technologies such as behavioural advertising, cloud computing and smart grids. / read more
Not many people will remember this but in 2008, Richard Thomas, the former UK Information Commissioner caused a fairly dramatic stir in the privacy world - at least among policy makers and fellow regulators - by unashamedly proclaiming that European data protection law was outdated and ineffective to address the technological and privacy challenges of the 21st century. At first, this was regarded by some as an embarrassing admission that could not possibly be right. But only two years later, the European Commission started a process of wholesale legislative reform that culminated with the adoption of the EU General Data Protection Regulation (‘GDPR’) in April 2016. We all know by now that the GDPR is the result of many political and regulatory compromises caused by the precarious balance created by the various forces at play - the unstoppable development of technology, the increasing value of data, the urgent need to protect people’s digital lives, and the prosperity of Europe and the rest of the world.
No one would claim that the GDPR is perfect, not least because we don’t live in a flawless world. But at a recent public debate organised by the Financial Times about whether the GDPR placed unnecessary burdens on businesses, a sizeable majority of 77% of the attendees voted that it did not. German MEP, Jan Philipp Albrecht and I joined forces to argue from slightly perspectives why, despite its imperfections, the GDPR’s burdens were not disproportionate but justified and manageable. Our opponents made very credible arguments in the opposite direction, so it was somewhat surprising to see such an overwhelming level of support for the GDPR coming from businesses. How can it be that such an intricate and prescriptive piece of legislation has already been accepted so widely?