How the GDPR Stacks Up to Best Practices for Privacy, Accountability and Trust

Abstract

The European Commission’s General Data Protection Regulation (GDPR) encompasses perhaps the most monumental pan-European regulation in the last decade and may well become a de facto world standard. The regulation is described as a means to regulate the processing of personal data, the protection of which is a fundamental EU right. The regulation declares, “The processing of personal data should be designed to serve mankind.” The European Commission states that the goals are to give users control of their data and to ease the ability to conduct business. The paper reflects a preliminary investigation to whether and to what degree the choice of instruments of the GDPR conform to the European Union’s research and best practices found in the report “Privacy, Accountability and Trust- Challenges and Opportunities” by the European Union Agency for Network and Information Security (ENISA). The GDPR consists of a set of provisions including Consent, Right to Object to Profiling, Data Portability, Right to be Forgotten/Erasure, One Stop Shop for Privacy Compliance, Data Protection Officers, Data Breach Notification, and Punishments. Meanwhile the four inputs to maximize privacy as defined by ENISA are (1) the user’s knowledge of online privacy, (2) the technology design, (3) the practices of providers, and (4) the institutions governing the system. The investigation shows that there is a deficiency between the provisions and instruments of the GDPR and the inputs recommended by ENISA. While the GDPR stipulates strict regulation (4) and mandates specific business practices (3), it does not discuss how to improve the users’ knowledge of privacy and privacy enhancing behaviors (1), which the Eurobarometer reports are low. This omission is notable as the GDPR claims its key goal is to give users control of their data and to create trust in the society so that the digital economy can grow. Moreover, technology design (2) gets only a brief mention in a paragraph about privacy by design and default. This paper investigates the discrepancy between best practices and policymakers’ choices and proposes some explanations based upon the literature.