With the tenth anniversary of the GDPR’s entry into force just a few days away, we must inevitably ask ourselves how the regulation has fared to date. Have the accounts been balanced, or is there still an imbalance between the rights recognised in the European Regulation and the obligations imposed on data controllers? Where, in reality, do the legal boundaries lie that distinguish the actual scope of an individual’s power or control over their data (what is now known as habeas data) from the commercial and non-commercial interests represented by data traders or data controllers? It’s hard to say for sure. Ten years have passed, yet we still lack a sufficiently comprehensive overview to clearly understand the unifying effect that the GDPR has had over the years in the scope of personal data protection. Let’s give it a go.
On the one hand, there is a consensus that the GDPR has made a significant contribution to refining and professionalising legislation which, until now, at least at the European level, had left regulation in the hands of the Member States. In line with the legislative strategy based on directives, the Council and the European Parliament laid the groundwork in 1995 to regulate the processing of personal data in the European Union (Directive 95/46/EC), although they made no claim to regulatory comprehensiveness. Their aim was different, more cautious and less ambitious: simply to establish the basic regulatory framework for the protection of European citizens’ personal data as part of their privacy, while leaving Member States free to decide whether or not to implement the Directive. Incidentally, this development was already long overdue in our country, which, at the time, had been a pioneer in regulating this area, as demonstrated by Article 18.4 of the Constitution (the 1978 Constitution, to be precise) and the now long-standing LORTAD (Organic Law 5/1992). Those were different times: simpler, more precise, and less subject to the incomprehensible dictates of Europe’s exuberant legislative output, which is drowning in its own complexity, as recent developments have shown (i.e., Digital Omnibus Regulation Proposal).
On the other hand, it is also beyond doubt that the GDPR has had a profound impact on every aspect of civil society. A clear and precise recognition of citizens’ rights regarding the legitimate use of their personal data; the establishment of previously unknown principles such as proactivity and minimisation, which make it possible to prohibit any processing that does not comply with its strict standards; or, in short, the arrival on the scene of the ‘DPO’ and their aura of technicality, are clear evidence that the days of legal and technological improvisation for data controllers are over. The old routine that was so effective in the early days after the GDPR’s entry into force no longer works. Businesses, and those in charge in general, must make a genuine effort to stay within the bounds of the law, however dubious they may sometimes seem to us. The reward does not necessarily lie in the (moral) satisfaction of complying with the rules, as my dear Kant would argue, but rather in the avoidance of an (economic) risk that hangs over the heads of data controllers, the scale of which is proportional to their negligence in complying with the rules.
Lastly, we must acknowledge that the GDPR is a crucial link in the chain of digital protection established by the European Union’s political institutions. We are constantly hearing warnings from a wide range of sectors – education, technology, civil society and research – about the excessive and growing erosion of our digital privacy on social media, digital platforms and marketplaces, not to mention the changing and unsettlingly evolving face of AI. The GDPR was the first piece of legislation, closely followed by the Digital Services Act (DSA) and, of course, the Artificial Intelligence Regulation, which paved the way for the legal protection of citizens online and on social media, and which acts as a legal and cultural brake (just ask the tech giants!) on the drive for algorithmic control. Disturbing phenomena such as deepfakes or ultrafakes serve only to remind us that in the world of The Matrix all that glitters is not gold, and only the combined action of legislature (administrative, civil and criminal) can and must put a stop to practices or uses of personal data through these technologies, the good intentions of which remain unclear.
The final question is inevitable: What remains to be done? In my opinion, a great deal. The culture of taking root, in the etymological sense of ‘putting down roots’, within the GDPR continues to take hold. It is a living being that develops, becomes stronger and grows. There are still areas where legal protection needs to be further improved, with the protection of children’s data being of paramount importance. The fact that the Spanish legislature has chosen to lower the minimum age at which valid consent to data processing can be given to 14 years old is a cause for concern in a fluid, ever-changing world such as the digital realm. On the other hand, the prospect of unlimited use, such as that which the manufacturer or mere user of AI seeks to impose on our digital privacy, requires the establishment of clearly defined transparency standards; and, of course, penalties that are sufficiently robust and effective to deter any malicious and illegitimate use of AI to alter our habits and our personality – something which are unfortunately already witnessing.
The GDPR’s legacy to date has been fruitful and commendable in many respects. Nevertheless, the story of its development has not yet been fully written. On the contrary, as I have pointed out, today more than ever it is necessary to shore up the defences protecting the data subject and ensure that they have full control over their digital identity. It is our responsibility, as legal professionals specialising in privacy and as a key part of the legal system, to strive to write new chapters in that book, and not to be content with what has been achieved over the past ten years.
Written by: José Carlos Erdozain. Of Counsel at PONS IP
