Article 4 of the GDPR contains its definitions. This is in line both with its predecessor, the EU 1995 Data Protection Directive, and general EU law-making: Customarily, in all EU technical legislation a set of definitions comes before the actual legal provisions. This is basic law-writing technique also met in complex contracts: Definitions come first so as to warrant certainty and common understanding for everybody reading the text that follows.
So is the case with the GDPR: Individuals are “data subjects”; Organisations are either “controllers” or “processors”; “Processing” under the GDPR is far wider than processing in the real world; Profiling, pseudonymisation, or filing systemare all defined in this same article, as well as, of course, personal dataitself.
My point is, however, why are definitions needed at all in the GDPR? If it is does what it claims to be doing, “lay down the rules relating to application of a fundamental human right”, then why does it need technical clarifications and definitions? Do human rights need to be technically specified?
I cannot think of any other fundamental human right that does the same. In fact, I cannot think of any other human right so much in need of specialised legislation in order to function. Normally human rights are general, single-line declarations, intentionally so, in order to cover any and all cases. Technical specificity is not a requirement.
Instead, the fundamental right of data protection in the EU seems to need the GDPR in order to apply at all. Without the GDPR Europeans seem to be at a loss, what to do with this newborn right.
Interdependence with the GDPR is explainable, if we trace the history of the right to data protection. It first started as specialised legislation for personal data processing under the general right to privacy, hence specificity was needed. Emancipation came only in 2009, with the EU Treaty of Lisbon, however by then legislators simply could not think out the box.
Unimaginative law-making resulted in the GDPR being what it is today. Essentially, the GDPR followed the structure of the 1995 Directive; The Directive itself followed the pattern of basic national EU data protection laws at the time (early 1990s); These followed the first example of the Data Protection Act in Hesse of 1970, whose article 2 (surprise, surprise) contains a set of definitions.
The GDPR therefore inherited its structure and nomenclature from the deep past of European data protection. Because its adoption was deeply political law-makers did not dare to draft something entirely new, in line with the newly acquired fundamental rights status of data protection. Instead, they chose to follow what was already known and, hopefully, easily digestible by politicians. (Not that such servile attitude did them any good, if it wasn’t for the Snowden revelations the GDPR would never have taken off the ground).
What is the problem anyway with the GDPR definitions? They are what they are, why bother to change them?
- First and foremost, the GDPR nomenclature alienates the people it wishes to serve. In theory, the GDPR aims to serve ordinary people, desperate about the ever-growing processing of their personal data in all aspects of their everyday lives. In practice, it comes off as a specialised, hard-to-understand piece of technical legislation that non-experts cannot even talk about without the help of (highly paid) specialists.
- Second, it transmits the wrong image about the GDPR itself. If it is a technical piece of legislation, with checklists on how to process “personal data” by “controllers” and “processors”, then if all items on the checklist are ticked surely compliance, or adequacy, are ensured? This is an important point, leading to deep misunderstandings, when dealing with businesses, the Americans, or the Chinese. However, it is not their fault – it is the GDPR’s, being as much a set of technical instructions and at the same time a law defining closer a human right.
What could have been done? The GDPR should have been worded differently. Definitions should have been scrapped altogether: We are talking about people, after all. The GDPR should only have consisted of the terms persons (or individuals, depending how neoliberal one feels) and controllers (to denote anybody that processes personal data). Not much else is needed when a human right applies.
The GDPR’s much celebrated right to be forgotten sets that past data can be erased when “they are no longer necessary”. Apparently, this is not the case with the GDPR itself. Instead, EU data protection seems forever trapped in a past when it was struggling for dear life. Fifty years later, although data protection reached the top and finally acquired human rights status, its basic secondary legislation, the GDPR, still has to pay homage to a past it apparently can never escape from.