Although the GDPR has only been in existence a year, the position of Assistant European Data Protection Supervisor is not a new one, but the role has taken on new importance since the data protection law entered into force last May. The incumbent, Poland’s Wojciech Wiewioroski, told Leaders League that although the law itself contained relatively few new provisions, the threat of punishment for being in contravention had increased.
Leaders League. Why was the GDPR adopted? What factors made the EU take action?
Wojciech Wiewioroski. Data protection has been enshrined in EU law since 1995. This update was necessary to come to terms with the legal changes the internet and digital devices have wrought over the last couple of decades. There was also a need to standardize the law; outside of legal texts there was the need to harmonize procedures even though, with the 1995 regulation, progress had already been made in that regard. Data protection had stayed very national in practice. For example, if a French person had a problem with a French company operating online, the matter would be handled by the French authorities, conforming to the process set out in French law. However, with the new system, the complaint can be filed in the country of the complainant or in any other county linked to the issue. It is then up to individual national authorities to take the matter further. In our example, the French authorities would make the final decision, but there would be greater co-operation between the authorities in all the states involved. This simplifies the situation for the claimant.
Given that data protection laws vary from one country to the next, how did the nations of Europe manage to agree on the substance of the GDPR?
From a philosophical point of view, all member states agreed on the need to standardize data protection procedures. However, during negotiations, it became evident that certain countries were very attached to the way they did things within their own borders, therefore not all aspects of law were able to be standardized.
For example the case of parental consent for gathering the data of their children. Some countries thought parental authorization should be required up to the age of 18, others 16 or 13 even. We were extremely disappointed not to have been able to reach an agreement on this issue. It was left for each country to set their own age limit.
Was it hard getting the GDPR off the ground? Did you think that at the moment of its entry into force businesses were prepared and had all the tools necessary to be in compliance?
Those companies which respected the law that existed before the GDPR would have had no problem respecting the level of conformity required by the new text. In reality, the GDPR is only a tweaking of the existing 1995 data protection agreement. Certain commentators have called the reform a revolution. I don’t agree with that. The GDPR is an important step in the evolution of data protection rights, but it is not a revolution.
If that’s the case, how do you explain the general sense of unease companies have about it?
That’s down to the media coverage it has got, which has frightened some companies and authorities. But a little while after the entry into force, they came to realize that the substance of the GDPR closely resembles that of the existing law. The companies which were in compliance with the 1995 law had little or no trouble complying with the new one. For the others they have had to make greater efforts. The only real differences reside in the way the text is applied.
Just what has changed then?
From now on it is possible for data protection authorities to take civil action against organizations in contravention of the law. Thanks to this power, data protection laws carry more weight. This is what has pushed companies to respect the law which, in principle, they should have been in compliance with since 1995.
And yet, there has not been much in the way of sanctions yet.
It’s still early days. There is an extreme imbalance between the number of complaints made and the number of penalties handed out. When the law came into force, we were afraid that there would be many disputes between the various national regulators because of the different approaches that states take, notable when it came to cross-border disputes. We were afraid that some conflicts would be taken before the European data protection committee. However, the initial phase of the application of the new law went much more smoothly than we had thought it would.
Portugal, France and Germany have all handed down their first sanctions under the GDPR. Do you think that other nations are in a position to do the same?
The national authorities are, generally speaking, at the same stage of application of the text. Some have already concluded their first cases, others will be doing so in the weeks to come, but it will take time to obtain clear results.
Why is that?
There are two main reasons. Firstly, the majority of cases ongoing relate to events taking place before the 25th of May 2018, when the GDPR came into force. In these cases the previous law is being followed. Concerning the new cases, the regulators are taking a cautious approach. Their decision are being scrutinized closely by each national judiciary. Every member-state has the right to monitor the consistency of the judgements handed down by the data protection authorities. The regulators are going to great lengths to ensure that their first rulings under the GDPR are not struck down because of a clerical or procedural error. In addition, some countries, like France for example, imposed fines before the GDPR came into effect. The GDPR merely modified powers that the CNIL [France’s data-protection agency] already had. In other countries, such as Finland or Estonia, having an administrative body pronounce financial sanctions is something entirely new. In these countries, regulators are going to have to get used to the new powers they have been bestowed.
What international dimension does the GDPR have?
All companies, organizations or entities proposing their goods and services in Europe must respect the GDPR. That is where the international aspect of the GDPR resides. I would even say that the text has an extraterritorial dimension. Even if a company has no base in the European Union, the fact that it offers services there, means it must comply with the GDPR. But the text has had a more general international influence. A small group of European nations which are not yet members of the EU, have decided to apply the GDPR in their territories, even if they are not officially tied to the new law.
Any other examples?
Countries such as Switzerland or certain Latin American ones, share the same approach as us when it comes to data protection. Others whose data-protection systems are diametrically opposed to the EUs, are still using the GDPR as a benchmark. I am thinking here of Japan, Mexico, Thailand and Brazil. Anywhere there is a new data protection law in the world it is immediately compared to the GDPR. As Europeans, we must take pride in that fact. That said, we recognize that there are important cultural differences between the EU and other states. That’s why we were not surprised that countries with very different judiciaries to ours didn’t wish to copy the GDPR. The text was drafted with the European Union in mind and as such it was never going to a panacea to be copy and pasted to all jurisdictions worldwide.
Are there economic arguments to be made for allowing the level of the data protection to vary from country to country, as the United States suggests?
No, I don’t think so. Once a law is issued, cultural differences between countries must be taken into consideration of course, but we live in a globalized economy these days and while political policies may vary, there are very few economic differences between the United States and the European Union or Asia. The economic model of a particular state is irrelevant when it comes to the application of the GDPR. Take the certification of data, for example. This concept was born in the United States, however we in Europe took it up an ran with it. The system of privacy by design, whose objective is having privacy measures built into new technologies by default, also originated in North America. It comes from Canada, but we found it interesting and have established it in Europe. This proves that the differences that exist between the American and European economic models should not stop the US from drawing inspiration from the GDPR. That said, I must stress once again that we completely respect the decisions taken in this regard at state and federal level.
By Maeva Kpadonou
(Translation by Simon McGeady)