Decoding GDPR and its impact on the EU

“The views represented in this opinion piece do not necessarily represent those of the Willy Brandt School of Public Policy.”

Opinion piece by Rakshit Mohan* and Vishal Kumar**


With the advent of technology and global interconnectedness, there has been a dramatic shift in the way we handle our daily tasks. We are used to sending emails, sharing documents, paying bills, and sharing account details with marketers while shopping online. Under the veil of marketing and raising consumer’s choice awareness, advertisers engage themselves in processing our data and later monetize this data. Herein lays the problem. The fiduciary relationship that consumers and advertisers shared was misused. This made the European Union (EU) step in and protect the digital dignity of its citizens and make sure their private space was not compromised.

January 2012 saw the dawn of EU data protection reform where the European Commission chipped in to regulate existing data protection policy. In April 2016, a new set of regulations and directives were agreed and adopted by the European Parliament in the form of General Data Protection Regulation (GDPR), going into effect on May 25th, 2018. GDPR, in its use to personal data, is much similar to the Data Protection Act of 1998. Under GDPR, any data relating to the personal ambit or exclusive domain of an individual is classified as personal data. This can include genetic information, biological and physiological attributes, bank details and even IP addresses. GDPR is applied to several enterprises, labeled as either Controllers or Processors. The work ambit of Controllers revolves around the need and method of data processing, subject to legal constraints and consumer accountability. They are also mandated to keep on updating records regularly and other data processing activities. Processors are required to process personal data. They act on behalf of Controllers, but legal liability for the burden of a breach between consumers and enterprises fall upon them.

The genealogy of such legislation is traceable in the philosophy of surveillance as told by Jeremy Bentham and Michael Foucault in their principle of Panopticon. The basic premise of Panopticon is a system designed in which the least amount of guards can secure a prison. Focault further elaborated by expanding the idea of control beyond prisoners and into free citizens. Foucault argues that “social citizens always internalize authority, which is one fount of power for existing norms and institutions”. The globe is already occupied with the same tendency of surveillance across the potential and possible consumers irrespective of any informed consent. The pervasive unwelcomed attitude of deliberate intruders has seriously brazened up the digital dignity of citizens, especially when it comes to informational privacy.

Any data about a discerned or a discernible natural person (‘data subject’) bears the hallmark of being distinct and privileged. Any form of mechanized processing of personal information data involving use of personal information means a breach of data security leading to the accidental or unlawful destruction of stored or otherwise processed data. So, regulation forms an essential step in strengthening the limb of a single global interconnected digital market.  On one hand, individuals’ inalienable rights are protected, and on the other hand, business rules and regulations for companies are clarified. Both of these constitute quintessential elements for a holistic development of market. Ample stress of legislation on consent, control, and choice could prompt consumers in better understanding and reflecting on ways in which they are surveilled on the web. On the other hand, privacy activists use GDPR as a potent weapon in shaping data-handling practices of corporate segments.

GDPR lays down rules and regulations relating to the rights of citizens, their data and their free movement. The regulation seeks to protect the fundamental rights of natural persons in general and personal data in particular. The regulation doesn’t attempt to press limits against free movement of personal data within the territories of the Union. The regulation, however, strictly applies against the processing of personal data information either by automated or by any other available means that either explicitly or intended to form part of a filing system.

GDPR is an opportunity to flip the economics of the industry. GDPR allows EU citizens to be in command over their data. It also helps in assisting marketing giants while garnering consumer confidence. The GDPR stiffens existing rights and opens up new avenues where citizens can exercise greater control over their data including more effortless and easy access to their data, exclusive right to data portability, right to erasure, and right to know when user’s data has been hacked.

Enterprises have been financially encouraged to guzzle up privileged data pertaining to consumers and monetize them later across commercial avenues. With the coming up of GDPR, such uninvited invasions of personal data are under check and sharing of personal data has been left to the discretion of EU citizens. They have the freedom to opt-in, rather than the burden to opt-out. That frequent stress on informed consent throughout the GDPR legislation has also helped in building consumer confidence, hence adding genuine rewards toward the financial building of businesses.

There is an acute need for transparency building measures enforced with credible accountability. Internet users are used to absentmindedly clicking an accept button which has inscrutable contract terms. People have largely ignored the gravity of this situation, until last year when the potential of cyber warfare to instigate vulnerable youth, suppress minority view, force-feed political ideologies, and even influence elections was exposed. In a white paper called “Corporate Surveillance in Everyday Life,” researcher Wolfie Christl diagrams how personal data is used to influence behaviour and determine what products we browse, what services we have access to, and what prices we pay in a variety of spheres ranging from online transactions to banking. “Every time we click, these companies are trying to figure out, is this a valuable person or this is a worthless person?” Christl says.

GDPR’s culmination shall be determined on the assertion of the newly conferred rights. This new austere data regulatory measure puts the consumer behind the steering wheel, while placing the burden of compliance upon business entities and other organizations. The use of various software products for enforcing privacy is on-demand and, in response, corporations have capitalized on this growing demand and released a number of products like VPNs and ad blockers.

Data has become the new currency, and GDPR perfectly balances the liabilities and the avenues of growth for the business entities that prioritize privacy of the individual by being innovative in implementing, improvising, and effective management of consumer data in its entire longevity, consequently garnering confidence and trust and loyalty of the customers.

The rise of privacy concerns leaves no doubt among governments that the strengthening of data protection laws is imperative. GDPR is progressive legislation, giving citizens of the EU a potent shield against unsolicited use of their personal data. People all over the globe are becoming more and more individual-centric, with the right to privacy gaining traction in some countries and standing at the epitome in the developed world. Data protection laws support this right with more vigour and instil confidence among citizens, which in turn promotes a healthy democracy.


*Rakshit Mohan is a Brandt School Alumn (2017 – 2019), he currently works at Citizens Alliance as a public policy consultant


** Vishal Kumar is a Law student at the University of Delhi. He has keen interest in legal, political and international affairs.