The EU General Data Protection Regulation, Two Years On

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in the EU. This marked a fundamentally new approach to data protection, privacy, security and user rights. Naturally, libraries as controllers of user data – patron registration data, library website uses, and much more – saw new obligations, responsibilities and processes that they needed to implement. Two years on, where does GDPR stand, and how will it continue to impact the library field?

The implementation and enforcement of GDPR has given rise to a flurry of activity over the past two years. Access Now points out that more than 140000 complaints have been submitted between May 2018 and May 2019 alone. Those found guilty of breaching its provisions have been held to account, with 231 fines or other sanctions levied over the past two years.

Indeed, just a few days ago, the Irish Data Protection Commissions issued a draft decision regarding Twitter’s GDPR compliance, moving closer towards the completion of a major cross-border GDPR case. Earlier, national authorities have already administered fines to Facebook, Google and WhatsApp; and several countries across the world introduced data privacy legislation inspired by GDPR or the global conversation it had launched.

Nonetheless, despite these arguably positive stories of authorities acting to protect privacy,  the Access Now report also points out the challenges that GDPR implementation has faced – such as the resource constraints Data Protection Authorities may face or the challenges of cross-border cases. Similarly, in their Open Letter marking the second anniversary of GDPR, European Digital Rights calls for more action to address the GDPR enforcement gaps.

Keeping Up with Events

The timing is helpful. A formal review of GDPR is due for its second anniversary. In addition, the area of data regulation will likely see more significant activities in the coming months and years. Just a few months ago, the European Commission led by Ursula van der Leyen has unveiled an ambitions EU Data Strategy, which will aim to facilitate data flows throughout the EU and enable broader use of data in services and products.

As a result, in 2021, Europe can expect a proposal of an EU Data Act; which will of course be linked to GDPR when it comes to such questions as data sharing and user rights (e.g. portability).

Of course, the current pandemic has also raised questions pertaining to GDPR. The COVID crisis has, for example, prompted questions about the more extensive use of health data for research purposes, employee data, or tracing applications and geolocation – and how these relate to the privacy and security protections guaranteed by GDPR rules.

The European Data Protection Supervisor has reiterated that GDPR is designed to be a broad legislation, with rules and regulations which are applicable to crises situations such as this. Nonetheless, there will be a lot of value in an evaluation of the degree to which violations of the right to a private live have been justifiable, and whether tougher or clearer rules are necessary.

Libraries and GDPR, looking ahead

This points us to the question of what these developments can mean for libraries. With the demand for digital library offerings and services surging during COVID, it is particularly important to keep in mind the need to at all times ensure the privacy and security of user data that such activities generate.

GDPR highlights the importance of “privacy by design”, meaning that privacy and security measures are taken into consideration and embedded into the design of new data processing operations from the outset. Similarly, data controllers need to ensure the privacy and security of users’ data when making use of any new third-party platforms or services.

If you are introducing new digital services or processes to your library, it’s crucial to consider whether these might entail collecting any new personal data, or processing it differently. On what grounds would the new data be processed? Are third party suppliers also respecting privacy?

We are yet to see the long-term impact of the pandemic on library services – including the question of whether this large-scale shift to digital will be sustained. In the meantime, it is crucial for libraries to continue putting privacy and security first in any new services or offerings, and keep an eye on any possible future legislation in the field of data regulation!

Leave a Reply