020 7831 0101

Data Protection Regulations: A Blessing or Curse? (Part 2)

 Data Protection Regulations: A Blessing or Curse? (Part 2)

It seems that personal data is beneficial for both the organisations that collect it and the individuals who provide it. The collection of data encourages organisations to invest in product innovation and the delivery of personalised “free services” to their customers. Nonetheless, whether the service is truly “free” remains largely questionable.

Individuals & Personal Data

Many companies participate in data appropriation or the “exploitation” of data from individuals without explicit personal consent, compensation or knowledge.[1] According to a survey conducted by the Digital Catapult Centre, a significant portion of the respondents remain unaware of what “personal data” is, what it constitutes, how it is collected and the ways in which it is later used.[2]

Data privacy policies – featured on every website online – seek to familiarise individuals with data processing activities and to grant them more control over their personal information. However, individuals should take initiative and assume the responsibility of educating themselves on how to protect their valuable information.

The Implications of Regulations & Government Interference

Over the years, both judiciary and executive authorities have become more involved in data protection efforts. They have implemented regulations that not only focus on the “fair and lawful” processing of personal data; but also, enable its free flow for largely commercial purposes. These regulations seek to strike the balance of benefits to both the individuals and the companies.

In 1995, the EU Data Protection Directive 95/46/EC was enacted in order to standardise data protection legislation across the EU. In 1998, the Directive was implemented in the UK by the Data Protection Act. The Act later proved vague, inconsistent and somewhat obsolete against the evolving nature of the technologies that capture, store and transfer personal data.[3] These limitations weakened the legislation’s ability to strike a clear balance between granting individuals their right to privacy and allowing companies to profit from the free flow of personal data.[4]

The General Data Protection Regulation (GDPR), effective as of May 2018, will regulate how companies – both in the EU and abroad – process the personal data of EU residents, establishing a healthier system of checks and balances. The GDPR will further strengthen the mechanisms of the Data Protection Directive by requiring companies to integrate data protection measures within their business model to ensure optimal security, privacy, transparency and accountability. Non-compliance will subject companies to severe penalties including hefty fines calculated on the basis of worldwide annual turnover (similar to the competition law penalty regime).[5] In addition, companies will be required to grant individuals more control over their personal information. For example, individuals will be entitled to various rights including the right to access their personal information, rectify it, erase it, restrict the way it is processed or object to its use.[6]

However, not all rights granted are absolute. For example, the “right to be forgotten” grants individuals the right to request from search engines to remove their personal information if it is proven “inaccurate, inadequate, irrelevant, or excessive.”[7] In this case, the right to be forgotten must be weighed against other fundamental rights (i.e. freedom of expression). More importantly, the new legislation will strive to fully harmonise the data protection law across the EU, making it easier for multinational corporations to comply.

On the 21st of June 2017, the Queen addressed the new data protection law. She confirmed that the UK’s government has created a new Data Protection Bill, which will seek to implement GDPR; in order to, allow the free flow of data across the EU. The bill will ensure the UK’s commitment to a high standard of data protection and privacy.[8]

The implementation of the new data protection regulation will increase the level of transparency between companies and individuals, instilling a newfound sense of trust. By implementing these strategies, companies will minimise the likelihood of data breaches, fraud and identity theft – all of which, can result in the loss of vital information, compromising their reputation and financial performance.  

The future implications of data protection regulations may be perceived as either a blessing or a curse. However, there is hope that legislators will be able to strike the right balance, while ensuring security, privacy and transparency.


This article is the second of a two-part series focused on data protection, written by Yancho Yanchev and Stanley Rowe of Cubism Law's European Practice Group.