The issues with the EU’s GDPR: can they be solved?

-- By OnaMunozRuscalleda - 26 Nov 2023

Introduction

This essay will delve into the GDPR, the EU's most comprehensive data privacy legislation, and its issues. A possible solution will be proposed and analyzed, namely a global privacy adequacy standard, to reach the conclusion that there is no real means of protecting individual privacy rights.

Privacy in the European Union

In 2016, the European Union introduced the General Data Protection Regulation (GDPR), a robust framework dedicated to safeguarding privacy and human rights. This legislation imposes stringent requirements on organizations operating within EU countries, establishing seven key principles that include data minimization, storage limitations, and transparency, among others. Non-compliance with the GDPR results in substantial fines, creating a robust regulatory environment. I have to admit, I have always looked at the GDPR with optimism and hope. However, I have come to realize that the GDPR is not the holy grail it had been praised to be.

The Issues

  • The EU does not operate in a bubble: whatever regulations the EU enforces affect not only the EU, but any country it wants to export to and trade with. The GDPR fails to take into account that it does not operate in a void, and that there are many different legislations which tackle privacy differently.
  • The GDPR potentially increases cybersecurity risks, because it undermines the transparency of the international systems and architecture that organize the internet.
  • The GDPR’s requirements have been deemed to be too vague for what should be the data protection legislation encompassing all EU business.
  • The GDPR weakens small and medium-sized businesses, while protecting bigger businesses.
  • The GDPR is a regulatory system which aims to make businesses comply with data protections, not a guarantor of personal privacy. However, this issue is not that relevant since it is hoped and expected that if businesses comply with data privacy protections, individuals will be protected as well.

Thus, it can be observed that the GDPR is by no means perfect and not an adequate means of protection of individual rights.

A global privacy adequacy standard?

The issue that I find most troubling is the first one: the fact that privacy protection legislation can only be applied to the country it is issued from, but privacy concerns affect every single place in the world. There have been cases made for a global privacy adequacy standard, but can that really work? A global privacy adequacy standard would have several benefits, the most important being that it would effectively tackle the issue of harmonizing different regulatory standards of privacy. Secondly, through the combination of several pieces of legislation from different countries it is likely that some issues (such as the cybersecurity risks or the vagueness of terms) would be partially solved. Nonetheless, implementing a global privacy standard is extremely complicated. It is almost impossible that every single country in the world would accept such a standard. Furthermore, there is no global institution that could ever implement it, or even draft it. What would it look like? Like the EU’s GDPR? A better version of the GDPR? There are many questions that arise, for which there are no clear answers. It can thus be concluded that a global privacy adequacy standard, while an optimist idea, cannot effectively be implemented.

Conclusion: What can be done?

My personal journey of learning has been the following: I began believing our privacy was always ensured. Then, I thought privacy issues existed in the US but were more controlled in the EU. Attempting to implement a global privacy standard is an extremely difficult, most likely impossible task. I have thus come to the conclusion that there is no privacy, anywhere, at any time. However, this doesn’t mean that the EU is doomed and the GDPR can never work. Upon improvement of the aforementioned issues, it has the potential to become a “very good” means of protecting individual privacy rights. What it cannot claim to be is a perfect means of protecting individual privacy rights, because that would simply not be true.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.