mission responsible #9: Access Now & GDPR in the new decade
|
|
|
Welcome to a new issue of the Mission: Responsible newsletter! In this monthly newsletter, we put the spotlight on a member of the Responsible Data community, on their work and on how it intersects with the topic of responsible data.
For this month’s issue of Mission: Responsible we spoke with Estelle Massé of Access Now, an international organisation that works to defend and extend the digital rights of users at risk around the world, where she leads the organisation’s work on data protection. Working from the organisation’s Brussels office, Estelle has had a front-seat view of the implementation process of the General Data Protection Regulation (GDPR) and its effects on civil society at large. For Mission: Responsible, she shared her thoughts on how the GDPR has affected civil society in Europe and around the world, as well as ideas about what could be next.
|
|
giving a law time to be enforced
|
|
|
On a May day in 2018, the GDPR took effect in all member states of the European Union. It was designed to give control back to citizens and residents over their personal data and to create a uniform data protection law across EU member states. However, the work doesn’t stop with the passing of the Regulation – much of the work required to protect people’s data rights still lies ahead.
“You need to give a law time to be enforced”, said Estelle. “There’s still a long process ahead, there is still guidance needed, and we are expecting a stronger stance from EU member states”, she shared, mentioning that while all EU member states voted in favour of the GDPR, that doesn’t necessarily translate into action. There is also a lack of resources in today’s budgets for authorities to look into data practices in a proactive way, for example, by launching larger investigations into data practices that do not adhere to the GDPR.
|
|
|
Ahead of its implementation date, the new Regulation provoked lots of questions across institutions, civil society organisations and companies in Europe and beyond. How do people feel about the Regulation today? “I’d have to say that there is hope, but we’re not quite there yet with the promises that the GDPR carries”, said Estelle. “There is more awareness around the existence of the regulation and the fact that institutions are protecting them. That was one of the objectives of the reform, and it’s a positive sign.”
The GDPR also put the issue of data rights on the agenda of civil society groups who might not otherwise have thought so much about them – even if, sometimes, interpretation was blurry. (Who can forget the mountain of ‘do you want to resubscribe to this newsletter’ emails that many of us received shortly before implementation?)
As for civil society in Europe, Estelle notes a diversity of opinions about the GDPR. Together with organisations like Privacy International, NOYB and the Panoptykon Foundation, Access Now tries to support civil society organisations in understanding not only what the GDPR means to them, but also how it can help them in their work. “Cases brought under the GDPR are making this awareness grow, and are advancing a new understanding of the rules”, Estelle observed.
This matches with what we’ve seen in our work, too. Last year, in a series of reflection stories, we documented a series of cases where the civil society groups are using the GDPR to support their work.
|
|
rippling rights around the world
|
|
|
The effects of the GDPR are not confined to European borders, and they have influenced conversations about personal data rights across the globe. In a number of countries and regions, talk about introducing new data protection regulations may lead to implementation. “Of course, there will be resistance from parts of the industry and the public sector when a new data protection law is introduced”, she said, “but human rights and user protection should be non-negotiable.”
Already, data protection legislation inspired by the GDPR has been discussed or implemented in other regions. In late 2019, Kenya adopted a data protection law, modeled around the GDPR, and countries like Tunisia, Algeria and Zimbabwe are set to follow suit.
|
|
what’s next for the GDPR?
|
|
|
The GDPR is a huge step in the advancement of user rights, but it is no silver bullet. For example, issues around the confidentiality of communications addressed in the e-privacy Regulation and the role of competition in the use of data are pressing matters, according to Estelle. “Data is not a commodity, but it is often treated that way by companies. When a company acquires another company, it also acquires the data of the company. So, there are privacy risks associated with mergers. It will be interesting to look more into those issues.”
“Ultimately”, Estelle noted, “it’s hard to predict where the GDPR will take us, but I know where we would like it to go.” In December 2019, a new European Commission, led by Ursula von der Leyen, took office, with Danish politician Margrethe Vestager leading the Commission’s digital agenda. “We are closely following the ideas she is putting forward”, said Estelle. “We don’t know yet what the Commission will propose in this area in terms of legislative action, but we see a need for more safeguards in the use of data in an automated context, for instance.”
With both the GDPR and a new Commission in place, Estelle is looking ahead to continue raising awareness about the power of data protection regulations. And the work is far from done: “we need to fight the thinking that data protection will be an impediment for innovation, it is the bedrock of the digital economy.”
|
|
|
As always, feedback, suggestions, and links for the next newsletter are very much welcomed.
You can get in touch with us at hello@responsibledata.io, which goes to The Engine Room team members Paola Verhaert, Laura Guzmán and Zara Rahman.
|
|
|
|
|
