Has the 2016 General Data Protection Regulation really given consumers more control over their personal data?

Abstract

The General Data Protection Regulation (GDPR) - which came into force in May 2018 - introduced a complete change to data privacy law. Arguably one of the most comprehensive pieces of European Union legislation, the GDPR appears to put data subjects in charge, with new and improved subject rights, wider territorial scope and increased accountability and enforcement mechanisms, all of which aim to strengthen their individual rights. The digital revolution presented the existing data protection legislation, namely the Data Protection Directive (DPD) (1995), with significant challenges. New means of processing personal information have led to increasingly acute consumer concerns over how personal data is gathered, handled, and stored. Modern - and largely intangible - processing methods may result in data subjects lacking control over their personal data. Control is in itself an essential aspect of data protection, not only in terms of privacy, but to uphold informational autonomy. As their own data is affected, a consumer should be able to ‘…predict with sufficient certainty which information about himself in certain areas is known to his social milieu…’ in order to have control over it. This may be done by having the right to choose how data is dealt with and where it will eventually end up.

This article analyses what the Regulation has achieved in relation to giving consumers more control over their personal data. The wording and principles of the GDPR appear to prioritise consumer control, more so than any other European legal instrument. The issue of how GDPR has affected consumers has however received far less attention than the repercussions of the legislation upon organisations. Much academic commentary has focused upon commending, comparing or criticising the European initiative: this article will look to these to gauge whether this ‘gold standard’ reform really ‘does what it says on the tin.’ It compares GDPR with DPD to set out the rationale for reform, having regard to the increased influence and advance of modern technologies in a globalised market; it then argues that the breakdown of technological boundaries means that the DPD had perhaps lost touch, in terms of territorial scope, definitions, and terminologies. It therefore then examines those rights and principles that give rise to greater consumer control over personal data, not least transparency, fairness, lawfulness and accountability. Arguably, changes were not truly ground breaking, given that these principles are similar to those set out in the earlier Directive. The rights contained in the 2016 Regulation clearly reinforce these core principles however, not least the rights to be forgotten, to have data access, and portability.  An enforcement mechanism is a crucial aspect of consumer control. The conclusion argues that, despite clearly improving individual control, the Regulation may still not provide adequate protection when it comes to the most advanced areas in the technological field, namely, where mechanisms automatically or unknowingly process personal data. With this area of law constantly developing, however, it may be premature to critique certain obscure methods of processing: UK citizens similarly face a perhaps unknowable future post-Brexit. The concept of  data protection remains a fundamental right however, given how the Charter of Fundamental Rights of the European Union works alongside the GDPR to uphold individual rights. In other words, both the Regulation – and the concept of a right to data protection  - may be redundant if existing in isolation; they must rely upon each other to operate effectively.