May 25, 2019 marked one year since Europe’s General Data Protection Regulation (GDPR) was first introduced. The regulation gives a great deal of control of user data back into the hands of consumers . Since it was introduced, it has faced both praise from those who consider it a landmark and criticism from those who feel it has not done enough.
We spoke with Hon. Albert Isola M.P., Minister for Commerce of Gibraltar, about his views on the Regulation, privacy and Blockchain.
Some have argued that the GDPR has not lived up to its potential. Would you agree?
GDPR is delivering on its promise of giving people more control over their personal data and levelling the playing field for businesses. However, I would argue that much like how technology has transformed the global economy, the consequences of such a significant reconstruction will not emerge overnight. GDPR is a considerable piece of legislation which will determine the future of the data economy for years to come, and I believe the significant consequences will become apparent in time.
For a long time, many seemed unconcerned about the use and misuse of user data by big corporations. What do you think made people start caring?
Education has played a huge role in shifting public sentiment. By exposing the misuse of data in a public manner, the European Commission has empowered a new generation of data-savvy consumers. High profile data breaches have also shone a light on the malpractices in data collection from a range of enterprises. However, rather than being unconcerned, I would argue that many citizens were simply unaware of data misuse in the past. Some tech companies have not been forthcoming when it comes to their misuse of citizen’s data. The past year has been essential in drawing attention to the importance of the fundamental right of individuals to have their personal data protected. As the Commission admits, the Cambridge Analytica revelations show the EU has made the right choice to propose and carry out an ambitious data protection reform.
Do you think the GDPR is the needed solution to data misuse problems or do you think there is more that needs to be done?
I firmly believe that GDPR addresses the key concerns of the future digital economy. The regulation has been debated and designed over a period of four years and is an updated version of the 1995 Data Protection rules. The pace of innovation in technology may require future revisions but for the moment, GDPR makes the necessary changes to protect the consumer and boost Europe’s digital economy.
From your experience, what has been the response from tech companies to GDPR?
In general, companies have been receptive to GDPR, and see the regulation as a necessary change for protecting consumers. The Deloitte GDPR Benchmarking Survey reports that despite placing new restrictions on tech companies’ ability to access data in the short-term, 61% of companies see additional benefits of GDPR-readiness beyond penalty avoidance. The GDPR transformation requires regulators and businesses to work together to achieve compliance. In Gibraltar, the Gibraltar Regulatory Authority (GRA) aims to assist organisations and facilitate a smooth transition to the future data protection standards under the GDPR. Gibraltar places strong emphasis on collaboration between our regulator and enterprises.
With data breaches and under-the-table selling of user data, can data privacy ever truly be achieved?
The monetization of data has been a critical revenue stream for businesses in the past decade, and has been responsible for many services now central to modern life. Unfortunately, some companies misuse individuals’ personal data, selling it on to third parties without consent. As we know, GDPR places unprecedented requirements on businesses in this area. Bad actors will likely continue to try and make money from people’s data — however, I am confident GDPR will reduce their capacity to do so.
Some believe that there are not severe enough consequences for misuse of user data for big firms. What, in your opinion, are the appropriate actions to be taken against Firms that are caught in violation of GDPR?
GDPR was designed to apply to all types of businesses, from multinationals down to micro-enterprises. The fines imposed by the GDPR are fair and scale with the firm, and I believe this is very important. Any organization that is not GDPR compliant, regardless of its size, must face consequences and administering fines which are proportional to the size of the company (up to 4% of their global annual revenue) is possibly the most equitable way to do so.
What part do you feel Blockchain technology can play in the securing of user data?
The lead up to GDPR implementation saw several high-profile scandals where personal data was hacked on centralized data storage platforms. One of the great benefits of blockchain is the potential for a new paradigm of data storage and governance. The decentralized nature of blockchain and other distributed ledger technologies can facilitate great economic advantages. Actors can transact with each other without requiring several layers of centralized intermediaries that have at times been unreliable and insecure in the past. Blockchain allows for information to be stored away from these centralized platforms in a distributed manner. The implications of this are potentially significant in securing data worldwide.
With privacy rights taking up more attention on the world stage, do you think a universal standard can be reached or will each region likely create its own?
As GDPR represented landmark legislation around consumer data privacy, I would foresee other regions looking to the regulation as a standard-bearer. The EU has always attempted to design well-researched regulation balancing public consultation with industry requirements. Other regions would do well to emulate the prudence and diligence that the Commission committed to GDPR policy design in designing their own legislation.