Journal

GDPR: Good for social media users, bad for business

By on
11

The EU regulations may not be the change the world of data protection actually needed, says law graduate Chloe Amies in her shortlisted entry to the BARBRI International Privacy Law Blogging Prize

As most people will be aware, after the 25 May 2018 the General Data Protection Regulations 2016 came into force in the UK and the Data Protection Act 1998 will cease to exist. If you are not aware, where have you been? Emails with the subject line, ‘We’ve updated our Privacy Statement…’ were a near-daily occurrence in the run-up. However, the regulations may not be the change that the world of data protection actually needed.

It would be basically impossible to argue that UK data protection did not need reforming. Protection of personal data in the UK was covered by the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. However, these were designed to protect our personal data in an era when the internet was still in its early stages, Facebook hadn’t been invented yet and apps didn’t exist.

We now live in a networked environment where certain technology giants have the negotiating power of what appears to be a small country.

Personal data now has a value and is bought and sold by social media corporations in exchange for free services. If we did not volunteer personal information to Facebook (and apparently give them the right to harvest our data too?) they would not provide their service for free. Algorithms now make decisions about and for us without our knowledge and our data is processed seamlessly and invisibly.

BARBRI International is hosting an Independence Day party and you're invited! Click here to register to attend

When this is all taken together it demonstrates that there is an urgent need for data protection law that has current technological advances in mind — this was the rationale for the GDPR. The GDPR require greater transparency from those who possess personal data in their activities and a principle of accountability whereby they must demonstrate compliance with the regulations.

The GDPR have introduced new concepts into data protection law. For example, the principle of ‘Privacy by Design’ is now mandatory, whereas it was previously only encouraged. This requires privacy to be the paramount consideration from the start of a process and throughout. Article 25 GDPR provides that:

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

It will be surprising to no-one that has studied the law that the law here is as vague as ever (but as all good lawyers will know, vagueness allows for flexibility in the law so it’s fine…) However, this is nevertheless a huge step from the Data Protection Act 1998 where a need for such a principle was not even envisaged.

The ‘dark side’ of the GDPR relates to its application.

The regulations apply to anyone who is processing data regardless of the size of the workforce, turnover, negotiating power, etc. Through working for a small business, I know first-hand that they rely on their contact databases to generate profit, however the method used to compile these databases may no longer comply with the GDPR. Therefore, smaller businesses that posed no threat of unlawfully processing data, and even if they did the consequences of this would not be far-reaching, are now restricted as to the ways they can generate income. They must now also spend hours making sure they are able to demonstrate compliance with the GDPR rather than dedicating these hours to profit-making activities.

These businesses often do not have a dedicated legal team so employees who are not trained in the law will have to get to grips with these new, vague, provisions and work out how to implement them whilst also doing their contracted job. For example, privacy by design has been made mandatory, which is good for us social media users, but the law does not explain how this should be implemented. It appears that the GDPR may have created unnecessary bureaucracy for the wrong people.

The problem at hand exists largely in relation to social media companies outside of the EU sharing data, usually with each other, and using our data unlawfully. Small companies going about their business were not part of the problem and should not have their innovation impeded by a response to a problem they did not create. In my opinion, the answer lies in regulating the activities of companies who assume that they are above the law and subjecting them to higher levels of scrutiny.

To cut what could be a much longer story short, there needs to be a way to stop CEOs of companies and of social media platforms from acknowledging that the law exists but finding new ways to avoid it, whilst, at the same time, retaining the ability for small businesses to make the money and provide the jobs that their CEOs have worked hard to generate.

Chloe Amies is a recent LLB graduate from the University of Liverpool, who is going on to study an MA in applied human rights at the University of York.

BARBRI International will be hosting an Independence Day party at its London office on 4 July. Register to attend here.

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

11 Comments

What even

“…It will be surprising to no-one that has studied the law that the law here [on data protection] is as vague as ever (but as all good lawyers will know, vagueness allows for flexibility in the law so it’s fine…”

Law on data protection is not simply “vague”, and neither is the GDPR, it is specific to the extent that is required to achieves its purpose(s). The ICO’s guidance for SMEs provides a tonne of useful exceptions.

SMEs have nothing to worry about with GDPR for three core reasons: (1) they have a plethora of exceptions to rely upon (e.g. “soft opt-ins”); (2) the new rules are to be applied proportionately with respect to a business’s legitimate interests (3) the ICO does not have the resources, nor the intention, to go after low-end SMEs.

I can see what you were trying to achieve with this article, but I think that there is no point in trying to cover such a massive topic in the short word-count allowed by the Legal Cheek article format. Good luck on your LLM at York; a fantastic university if I do say so myself (disclaimer: I studied my LLB at York).

Anonymous

This sounds like it was written by judge hobosexual. Is his name being censored now?

Not Amused

GDPR is catastrophically bad law. The costs of it are absurd.

GDPR alone was a good enough reason to vote leave.

When at all

Is there any way that we can vote for you to leave?

s.32 Salmon Act 1986

Brexit won’t get the UK out of the GDPR. Post-Bexit the EU will restrict transfers of personal data to the UK unless the UK has data protection laws that match the EU’s laws, or else businesses would have to arrange for additional protections for their data transfers (see Art.44-49 of the GDPR). The UK will therefore adopt the GDPR wholesale with minimal changes (see Sch.6 to the Data Protection Act 2018).

That said, I agree with you that it is a not a great law, but we’re stuck with it.

Just Anonymous

“It appears that the GDPR may have created unnecessary bureaucracy for the wrong people.

….

Small companies going about their business were not part of the problem and should not have their innovation impeded by a response to a problem they did not create.”

Absolutely!

What even

If you think small companies should be able to flout the law by virtue of the fact that they’re small then you’re a neanderthal. This law will only work if everyone has to abide by it, 99% of exceptions apply regardless of business size.

Just Anonymous

No, I am not saying that “small companies should be able to flout the law by virtue of the fact that they’re small.”

I am saying that the law should not be what it currently is.

What a silly straw-man.

Even what

Okay then, why do you think that the law should not be what it currently is?

Corbyn. Sympathiser

I’m sorry to have to post this here, but, as there are no longer daily updates, this is as good a place as any, I think.

Regular readers will be thrilled to know that I am leaving the country for an extended period, and will therefore not be commenting on Legal Cheek for the foreseeable future. I’d like to thank the moderation team for their hard work, for the insightful comments of a number of posters, and of course my many imitators. However, since I won’t be darkening the door of this website again, from this post on, you are no longer imitators but successors! Wear it well.

I hope that my posts have been in the main entertaining and/or informative, and wish LC and its posters all the best in the future.

Yours, with sympathies,

Corbyn. Sympathiser

Weyland-Yutani

zero effs given

Join the conversation

Related Stories