There is also concern regarding the implementation of the GDPR in blockchain systems, as the transparent and fixed record of blockchain transactions contradicts the very nature of the GDPR.[76] Many media outlets have commented on the introduction of a "right to explanation" of algorithmic decisions,[77][78] but legal scholars have since argued that the existence of such a right is highly unclear without judicial tests and is limited at best.[79][80]
The GDPR has garnered support from businesses who regard it as an opportunity to improve their data management.[81][82] Mark Zuckerberg has also called it a "very positive step for the Internet",[83] and has called for GDPR-style laws to be adopted in the US.[84] Consumer rights groups such as The European Consumer Organisation are among the most vocal proponents of the legislation.[85] Other supporters have attributed its passage to the whistleblower Edward Snowden.[86] Free software advocate Richard Stallman has praised some aspects of the GDPR but called for additional safeguards to prevent technology companies from "manufacturing consent".[87]
Impact[edit]
Academic experts who participated in the formulation of the GDPR wrote that the law "is the most consequential regulatory development in information policy in a generation. An establishment does not need to name an EU Representative if they only engage in occasional processing that does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) of GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10, and such processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.[6] Non-EU public authorities and bodies are equally exempted.[48]
Third countries[edit]
Chapter V of the GDPR forbids the transfer of the personal data of EU data subjects to countries outside of the EEA — known as third countries — unless appropriate safeguards are imposed, or the third country's data protection regulations are formally considered adequate by the European Commission (Article 45).[49][50] As an example, a 2020 study, showed that the Big Tech, i.e. Google, Amazon, Facebook, Apple, and Microsoft (GAFAM), use dark patterns in their consent obtaining mechanisms, which raises doubts regarding the lawfulness of the acquired consent.[134]
In March 2021, EU member states led by France were reported to be attempting to modify the impact of the privacy regulation in Europe by exempting national security agencies.[135]
After around 160 million Euros in GDPR fines were imposed in 2020, the figure was already over one billion Euros in 2021.[136]
Influence on foreign laws[edit]
Mass adoption of these new privacy standards by multinational companies has been cited as an example of the "Brussels effect", a phenomenon wherein European laws and regulations are used as a
baseline due to their gravitas.[137]
The U.S. state of California passed the California Consumer Privacy Act on 28 June 2018, taking effect on 1 January 2020; it grants rights to transparency and control over the collection of personal information by companies in a similar means to GDPR. It is the responsibility and the liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller (Recital 74).[6]
When data is collected, data subjects must be clearly informed about the extent of data collection, the legal basis for the processing of personal data, how long data is retained, if data is being transferred to a third-party and/or outside the EU, and any automated decision-making that is made on a solely algorithmic basis. As part of the withdrawal agreement, the European Commission committed to perform an adequacy assessment.[49][50]
In April 2019, the UK Information Commissioner's Office (ICO) issued a children's code of practice for social networking services when used by minors, enforceable under GDPR, which also includes restrictions on "like" and "streak" mechanisms in order to discourage social media addiction and on the use of this data for processing interests.[56][57]
In March 2021, Secretary of State for Digital, Culture, Media and Sport Oliver Dowden stated that the UK was exploring divergence from the EU GDPR in order to "[focus] more on the outcomes that we want to have and less on the burdens of the rules imposed on individual businesses".[58]
Misconceptions[edit]
Some common misconceptions about GDPR include:
Reception[edit]
