After the Facebook Cambridge Analytica scandal, newly enacted regulation by the European Union known as GDPR is expected to reorient consumer protection. Having replaced the prior privacy law, which was Data Protection Directive 1995, GDPR introduces a bill of digital rights in order to not only curb misuse of private data but to produce greater safeguards for information governance. To generate effective protection, it has been set and adopted as a regulation which can be relied upon by individuals to bring an action against whether Member States or private persons. Notwithstanding its merits, it is worth noting that the strict rules prescribed in this regulation, which have wide ranging impacts on international business owing to the fact that it even includes non-European-based companies handling personal data of Eu citizens, have the potential to put spanner in the works of business entities.
To begin with, In order to be GDPR compliant, which appears to be a requirement for business of all sizes, companies need to employ experts in the given field increasing operating expenditure which can wreak havoc on small businesses and undermine competition. Given the dearth of precedents and the fact that it is a new era which develops gradually, it will be daunting to find the proficient expert to recruit in the first place. The greater accumulation of information is, the more likely that business is to grow and the more difficult handling the data is. Needless to say, margins or errors are extremely high, thus, it dissuade companies from European Market rather than complying with stringent requirements by virtue of the fact that these provisions apply to all organizations and enforcement mechanism is slightly flexible.
It must also be pointed out that in GDPR context, “personal data” has been formulated in a very broad definition which covers even IP address. In practice, not all the private data such as financial data, health data, insurance data and so forth, are created equal. In fact, particular protection will be differently built around those very definitions. Aimed at representing the best interest of customers and their profit as well, more discretion is required for business entities in attaining this. More to the point, fiercely controversial “ right to be forgotten”, prescribed in Article 17, adds more confusion to this and creates ambiguity in its wording particularly about the term ‘ unnecessary information’. On the one hand, this obligation puts too much onus on service providers declining the efficacy of their performance because obtaining informed consent is the basic element in every step, on the other hand, it goes beyond what is necessary by imposing an enormous financial penalty. Negotiating with hackers and cybercriminals so as to reach an agreement might attract attention as a more tenable option rather paying €20 million or 4 percent of the annual global turnover. Receiving negative press can easily tarnish the reputation of companies, in particular, hardly can small ones survive in that regard. As it pertains to harmonization, had it left more discretion for action for the Member States, it could have presumably been enforced more realistically in accordance to the needs and priorities of those territories. In addition to that, in terms of communication, constant requesting for consent in different situations can readily trigger customer’s discontentment in using online process for conducting business practice.
Mohsen Qasemi is currently studying an LLM in European and International Business Law at Leiden University.
Before coming to Leiden Mohsen gained experience in a number of fields in Iran. He worked as a legal advisor at Iran Chamber of Commerce.
Prior to joining the Chamber in 2017, he obtained expertise in commercial law, real estate law and corporate law in Iran working for ADIB Law Firm and UNICEF Iran Office. At the UNICEF Iran he was responsible for researching, coordinating and planning of the educational activities of the office.
Mohsen studied master in International law, Bachler of Laws and Bachelor of Librarian Science in Iran.