Consumer privacy in network industries
The new EU General Data Protection Regulation (GDPR) – though a step in the right direction – will not be enough to address the reality gap that exists in EU privacy and data protection law. This is one of the key findings of this new CERRE report.
Europe’s framework of privacy and data protection laws certainly needed reform. Digitised economies and data-centric business models have already exposed the shortcomings of current legislation. In this dynamic environment, the report finds that sector-specific privacy regulations are inadequate and should be reviewed with a view to withdrawal. Consistent, future-proof regulation requires a common approach to all industries, and the GDPR is therefore a move in the right direction.
However, the effectiveness of the GDPR may already be undermined by its own legislative history. Attempts to foresee and account for every possible exception and special case, and plans to reserve room for Member States to enact their own legislation, threaten to unravel the intended uniformity and clarification of the law.
While issues of privacy and data protection are often discussed in terms of human rights, the new CERRE report draws on an economic analysis to deliver useful insights that may be missed in the current discussion.
Based on this analysis, and without outsourcing the substantive principles of data protection to market mechanisms, the report calls for a re-casting of the GDPR to serve as a baseline – a set of mandatory minimum requirements on personal data protection. Around that baseline, private actors should be given greater room to contribute to the enforcement and development of the law. Whereas setting the scope of the protected rights should remain a matter of public law, private actors can play a role through liability claims (when the baseline is not met) or through contractual arrangements going above and beyond that baseline. The GDPR already allows for private activities through codes of conduct and certification mechanisms, among others, but more must be done to enlist private actors.
At a time when Data Protection Authorities are already hampered in their enforcement efforts by a lack of resources, the potential role of private activities remains underused.