Navigating the nexus of EU Policy, Digital Technologies, and Futures (S1/E3)

S1/E3: A little bit of gossip: Am I paranoid or there is indeed someone behind my laptop camera?


In the past episode of this blog series, we saw relevant points of one of the most important EU laws regulating the Digital Space, namely the European Union’s General Data Protection Regulation – the GDPR. In the meantime, some of you showed interest in understanding a little more about the process that led to the genesis of such a powerful legislation that sets trends and norms well beyond the frontiers of the European Union. So, here we are with Episode 3 of our series.

Of course, there are plenty of factors and (lobbying) forces at play when it comes to legislations that are so strict and encompassing as this one. But one very specific event actually made the negotiations of this piece of legislation so lengthy: Do you remember the Snowden revelations of 2013 that the National Security Agency (NSA) of the United States of America was snooping and spying on citizens and politicians around the world? Foes, friends, like-minded and their dogs? There is even a very enjoyable, if frightening, eponymous movie by Oliver Stone on the subject.

I was at the time working at DG CONNECT of the European Commission and could witness first-hand how cybersecurity went from being a geek’s concern to being a major priority of the EU in a matter of a few months only – which in my perspective was the time it took to the MEPs (Members of the European Parliament) to grasp the full implications of the revelations and to the Heads of States to be alerted that they were part of those being spied upon. As a consequence, the GDPR text was modified to a great extent and you may imagine why the negotiations that ensued between the EP and the EU Council were not a walk in the park.

Overall, the final version of the GDPR that was adopted in 2016 has several important differences from the initial proposal by the EC in 2012. It is more extensive, introduced stricter requirements, and significantly increased the penalties for non-compliance. These changes were aimed at providing greater protection for individuals' personal data and strengthening the enforcement of the regulation.

In particular, the following main differences are outstanding:

  1. Scope: The scope of the GDPR was expanded to cover all companies, regardless of their location, that process the personal data of individuals in the European Union. The original proposal only covered companies located within the EU.
  2. Penalties: The maximum penalties for non-compliance with the GDPR were significantly increased in the final version. The original proposal had a maximum penalty of €1 million or 2% of global turnover, while the final version has a maximum penalty of €20 million or 4% of global turnover. (Remember: whichever is higher!)
  3. Consent: The final version of the GDPR introduced stricter requirements for obtaining valid consent from individuals for the processing of their personal data. For example, consent must be freely given, specific, informed, and unambiguous. (Yes, I know, we wish…)
  4. Data Protection Officers (DPOs): A requirement was introduced for some companies, like those involved in systematically monitoring of data subjects on a large scale, to appoint a Data Protection Officer (DPO). The original proposal did not include this requirement.
  5. Right to erasure: The right to erasure, also known as the right to be forgotten, was introduced. This right allows individuals to request the deletion of their personal data under certain circumstances.
  6. Data breach notifications: The final version of the GDPR introduced mandatory data breach notifications, which require companies to notify the relevant supervisory authority and affected individuals within 72 hours of becoming aware of a data breach.
  7. One-stop-shop: The concept of a one-stop-shop was introduced, which should allow companies to deal with a single supervisory authority in the EU for cross-border data processing activities.

Thus, the current EU digital strategy could have been a lot different in case the NSA had managed to catch Edward Snowden before he leaked all those shocking facts to the world. But, we’ll never know…

See you soon, in Episode 4, where we’ll talk about EU initiatives to structure its cybersecurity ecosystem.

Keep tuned!


[This blog series is inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK.]


Afonso Ferreira

CNRS - France

Digital Skippers Europe (DS-Europe)