General Data Protection Regulation: Issues of compliance and non-compliance


The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection, designed to harmonize data privacy laws across Europe as well as to protect and empower all EU citizens data privacy. It was adopted in April 2016 and will come into effect on 25 May 2018. 

The biggest change to current regulations of data privacy comes with the extended jurisdiction of the GDPR; as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location and whether the processing takes place in the EU or not. 

The regulation also brings a new set of data subject rights, or digital rights, for EU citizens. These include among others the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose, and the right to be forgotten which entitles the data subject to have the data controller erase his/her personal data.

This story collects articles looking at what the new GDPR means for business and human rights in the digital economy and human rights concerns arising from non-compliance.

Get RSS feed of these results

All components of this story

8 September 2017

HCLU​ ​&​ ​Access​ ​Now​ ​comments​ ​to​ ​the​ ​Hungarian​ ​law​ ​implementing the​ ​GDPR

Author: Access Now, HCLU

Read the full post here

2 March 2018

Letter by Access Now & EDRi to the French Senate regarding the law on the protection of personal data

Author: Access Now, EDRi

Available in French.

Read the full post here

23 March 2018

EU data protection regulation: what you need to know

Author: Jack Nagle, The Irish Times

The General Data Protection Regulation (GDPR) [...] represents a dramatic departure for EU regulators from the previous directive on data protection...

In recent decades, the arrival of the internet and the advent of mass data processing and analytics enabled EU citizens to generate vast quantities of data through browsing behaviour, social media and buying and selling online...

In drafting the GDPR, the EU is essentially [...] advertising itself as the leading global watchdog in the establishment of a new order with respect to the data rights of citizens.

One of the most significant changes within GDPR is its “expanded territorial scope”...

The new regulations also expand the material scope of data privacy. The definition of what constitutes “personally identifiable data” is being extended...

The GDPR is accompanied by an enforcement regime...; failure to comply is a not an option.

For businesses, GDPR will bring a number of operational requirements. Workplaces will need to implement new business processes such as privacy impact assessments, allocate new responsibilities such as data-protection officer and heed specific rules governing breach notification...

They will also need to have in place a protocol for dealing with subject access requests... Under GDPR individuals can invoke new rights, including erasure of personal data, correction of records, and even requests for data in accessible formats...

Companies [...] can inform themselves of their obligations and their employees’ rights by visiting the website of the Data Protection Commissioner (

Read the full post here

30 March 2018

Europe counts down for the General Data Protection Regulation

Author: New Europe

European citizens will be looking ahead to the May 25 when the EU’s General Data Protection Regulation (GDPR) comes into force, which poses a threat to the policies of US-based tech behemoths as the new set of laws will slap the companies with massive fines if they continue to bundle their services with a demand for customer’s personal data.

Companies must also facilitate the withdrawal of consent and data, allowing customers to demand the deletion of their personal data. Added safeguards must also be in place for anyone under 16 that will include clauses about parental consent for minors who need to hand over their personal information.

The new legislation also says any sizable data-breach must be reported within 72 hours rather than revealed by whistleblowers months and years down the line, as in the case of Yahoo and Facebook.

Facebook has released new laws on how it plans to comply with the GDPR regulation. Google, Amazon, Twitter and other digital behemoths have yet to announce similar moves.

Read the full post here

5 April 2018

Europe is trying to force Facebook to take customers’ privacy seriously

Author: Emily Stewart, Vox

The first major government crackdown on Facebook and big tech in the wake of the Cambridge Analytica scandal and growing concerns about data privacy isn’t going to come from [...] Washington. Instead, it’s likely to come from Europe. 

On May 25, Europe will enact the General Data Protection Regulation or GDPR... The law requires companies to be transparent with what information they’re gathering and why... 

The law will put data privacy and protection at the center of technology design...

What the law does, essentially, is unify rules for how companies handle European citizens’ data, expand the scope of what personal data is, strengthen transparency and consent conditions, and set specific penalties for enforcement...

In the case of the GDPR [...] there’s a risk of putting too much weight on the shoulders of individual users to figure out what to allow to happen with their data. “To the extent that the EU has barreled forward with consent being the key, in this environment when we can’t really know what’s being collected about us all the time and what’s being used, putting the onus on a person to use judgment to allow or disallow something could be problematic...

Read the full post here

12 April 2018

Instagram to build new tool allowing users to download personal data in preparation for GDPR

Author: Alex Hern, The Guardian

Instagram has confirmed it will let users download their personal data, including previously shared photos, videos and messages, as it prepares for the European data regulation GDPR...

GDPR (General Data Protection Regulation) brings with it a number of rights for individuals, including to demand deletion of data, to opt out of future data collection, and to view the personal data a company possesses and to download it in a format that can be moved over to competitors.

These were the requirements Instagram would fulfil shortly, the company confirmed to TechCrunch. “We are building a new data portability tool,” a spokesperson said. “You’ll soon be able to download a copy of what you’ve shared on Instagram, including your photos, videos and messages...

It is unclear whether the company will also include details of a user’s advertising profiling in its data download...

A number of data breaches may also be made public next month as companies race to beat the GDPR deadline...

According to EUObserver, the European commission intends to police that deadline according to the date of disclosure, not the date of the underlying breach.

Read the full post here

31 May 2018

Facebook & Google first co's to face complaints of GDPR noncompliance over 'forced consent'

Author: Alex Hern, The Guardian

"Facebook and Google targeted as first GDPR complaints filed", 25 May 2018

Facebook and Google have become the targets of the first official complaints of GDPR noncompliance...

Across four complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argues that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given...

In a statement, Google said: “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU general data protection regulation. Over the last 18 months, we have taken steps to update our products, policies and processes to provide users with meaningful data transparency and control across all the services that we provide in the EU.”

Facebook’s chief privacy officer [...] told the Guardian: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on 25 May..."

Read the full post here

7 August 2018

UK: Deliveroo's employment practices contradict GDPR regulations & undermine workers' rights, says union

Author: Aliya Ram, Financial Times

"Deliveroo’s substitute courier policy called into question", 6 August 2018

Deliveroo narrowly avoided demands for union recognition and workers’ rights last year, after giving couriers the option of substituting people to deliver food on their behalf. The Central Arbitration Committee, a government body that oversees the regulation of UK labour laws, ruled that the contractual promise meant riders were self-employed, not workers entitled to collective bargaining powers and other rights...

[T]he Independent Workers Union of Great Britain [...] said Deliveroo’s data protection obligations under the EU’s General Data Protection Regulation contradicted the substitute policy...

Deliveroo’s data terms say couriers must keep customer information safe.

“You have the right, without the need to obtain Deliveroo’s separate prior approval, to arrange for a substitute to process the customer data on your behalf...” the policy says...

But under the UK’s Data Protection Act, which translates GDPR into UK law, Deliveroo is ultimately responsible for keeping data safe and would need to be informed when a courier appointed a substitute.

“This sounds awfully like Deliveroo has an absolute right to refuse consent to the use of a substitute by a Deliveroo rider,” said Mr Moyers-Lee, [general secretary for the IWGB]...

Deliveroo said: “The courts have made clear that Deliveroo riders are self-employed and we are confident that Deliveroo’s data policy is consistent with the right to substitute.

“We continue to make the case that the government should end the trade-off between flexibility and security by allowing companies like Deliveroo to offer further benefits without the risk of reclassification.” [also refers to Uber and Airbnb]

Read the full post here

21 January 2019

France fines Google €50 million for "lack of transparency & valid consent regarding advert personalization" using GDPR rules

Author: Euronews

France's regulatory body dealing with data privacy has fined Google €50 million regarding advertisers’ access to users' personal data, it announced on Monday.

The National Commission on Informatics and Liberty (CNIL) said Google LLC received the financial penalty for a "lack of transparency, inadequate information and lack of valid consent regarding advert personalization."

It marks the first time the CNIL has used the EU's strict General Data Protection Regulation (GDPR)...

The authority said Google did not take appropriate measures when asking users for their data.

"The restricted committee observes that the users’ consent is not sufficiently informed," the CNIL wrote in a statement...

Google said in a statement: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR.

"We're studying the decision to determine our next steps."

Read the full post here

5 August 2019

German data protection authority orders Google to halt human review of voice AI recordings over privacy concerns

Author: Natasha Lomas, Techcrunch

"Google ordered to halt human review of voice AI recordings over privacy risks", 2 August 2019

A German privacy watchdog has ordered Google to cease manual reviews of audio snippets generated by its voice AI. 

This follows a leak last month of scores of audio snippets from the Google Assistant service...

The Hamburg data protection authority told Google of its intention to use Article 66 powers of the General Data Protection Regulation (GDPR) to begin an “urgency procedure” [...] last month. 

Article 66 allows a DPA to order data processing to stop if it believes there is “an urgent need to act in order to protect the rights and freedoms of data subjects”.

This appears to be the first use of the power since GDPR came into force...

Google says it responded to the DPA on July 26 to say it had already ceased the practice — taking the decision to manually suspend audio reviews of Google Assistant across the whole of Europe...

It’s not clear whether Google will be able to reinstate manual reviews in Europe in a way that’s compliant with the bloc’s privacy rules. The Hamburg DPA writes in a statement [in German] on its website that it has “significant doubts” about whether Google Assistant complies with EU data-protection law.

“We are in touch with the Hamburg data protection authority and are assessing how we conduct audio reviews and help our users understand how data is used,” Google’s spokesperson also told us...

The DPA also urges other regional privacy watchdogs to prioritize checks on other providers of language assistance systems — and “implement appropriate measures” — name-checking rival providers of voice AIs, Apple and Amazon .

This suggests there could be wider ramifications for other tech giants operating voice AIs in Europe flowing from this single notification of an Article 66 order...

Read the full post here