GDPR Explained: Part One
First I must thank @Matter for pointing me to this full PDF version of the GDPR. Some of my interpretation may be influenced by this rather biased article by National Public Radio as well, but I will try to keep their bias out of this series of articles.
We must begin with what appears to be the thesis of the General Data Protection Regulation. Article 1 states:
1- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
This sets the scene for the protection of "natural rights" which I can only interpret as the property rights of each EU citizen over the data that they own. That is to say that you rightly own your own private data. That view should be tempered with the realization that you are storing that personal data on another person's computer. With that in mind, the question is asked, who owns the data at that point? It is rightly the data of the originator, but the hard drives and electrity that stores that data is owned by the server owner. However, the creator of the data stores their private information another person's server because they believe that they will retain rights to that data regardless of where it is stored.
With that in mind, let's move on to Article 2. Article 2 gives exceptions to the rule of this law. It excepts household data movement and analysis/collection of data by governmental bodies within the EU. This effectively gives the EU government a monopoly on data collection, which some may see as a good thing and others may see as quite sinister. I will stay out of forming opinions at this point, although I think that majority of you know where I stand on data collection against the will of the consumer by any body.
Article 3 is rightly titled "Territorial scope" because it lays out the territory that this law can affect. The basic breakdown of the scope is any data processors/collectors in the world that manipulate the protery rights of any EU resident. That includes foreign residents and natural residents. If an EU citizen is in, say, China, their rights cannot be legally protected by this law. The law reaches a little when it says:
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. It relies on the "virtue of public international law", which is a relatively weak position, but one will only know how enforceable this part of the article is in due time.
The final article I will be outlining is Article 5. This article is basically a regulation on the processing of personal data. The data collector and processor must be transparent and state a specific purpose for the collection/processing of data. They must also limit the collection/processing to "what is necessary" for their specific purpose. It also states that they must not store the data for longer than necessary for the specific purpose stated. Finally, they must collect, process, and store the data "in a manner that ensures appropriate security of the personal data". This seems pedantic, but as we have all seen from the Facebook trials, not all companies have been prudent with the colection, processing, and storing of personal data.
So far, this law doesn't look very threatening, and perhaps it isn't. However, I have a few points that I have gathered from this initial look into the GDPR.
First, laws like this tend to backfire on the law-makers. They tend to make a law to protect the rights of their residents, then the law ends up being a weapon to attack those it was intended to protect. Think about the Patriot Act in the United States and how it was meant to gather information about enemy threats, but instead it became a weapon against the citizenry and against allies. Experience with laws very similar to the GDPR that seem so very helpful and protective give me pause. I don't want to see evil in everything, but I have yet to read a law passed to protect citizens that didn't end up being a weapon against them. I am not drawing a conclusion about this law. Perhaps it will be exactly what it claims to be. From what I've seen, the EU tends to be a little more wholesome with their law-making than my own country is. However, I still haven't seen a law made that didn't end up being used against its purpose; not even from the EU (disclaimer: I haven't read every single law on the books, but I have read a fair number of them).
So this concludes the first step in our journey to understanding the GDPR. If you would like to send me a message, look me up on Mastodon