The beginning of a new decade is perhaps an opportune time to reflect on the past and plan for the future. A lot has happened in the international privacy community in the last ten years, largely thanks to European leadership. The General Data Protection Regulation (GDPR) is the hallmark of the 2010s. We look forward to the 2020s with Giovanni Buttarelli’s report Privacy 2030: A New Vision for Europe, which was published posthumously and reflects the former European Data Protection Supervisor’s (EDPS), vision for the next decade.
In the international privacy community, the last ten years have constituted a long, arduous journey to the century’s most important privacy regulation, the GDPR, which went into effect on May 25, 2018. The journey was sparked, if we take a long view back, by the 2009 Lisbon Treaty which introduced Article 16 on the right to the protection of personal data. It continued with the European Commission’s research into the deficiencies of the Directive 95/46/EC and a proposal for a new regulation. The journey had ups and downs during the years-long trilogue negotiations, not to mention corporate lobbying, and finally concluded with ratification in 2016. The journey is not over, of course, as GDPR enforcement ensues, following a modest fine against Google about this time last year. The GDPR will be one of those statutes that marks time in the privacy and technology community as before or after GDPR. Its impact much broader than European itself, the GDPR has become the de facto international privacy standard with GDPR “clones” proliferating across the globe, reaching even the shores of a privacy-stubborn United States, with the passage of the California Consumer Privacy Act which took effect on New Year’s Day. The 2020s will tell just how effective the GDPR will be in protecting personal data in Europe and abroad, but with lightning-speed advances in technological innovation, data protection, as Buttarelli’s report shows, is not the only thing at stake; at heart it’s about human dignity.
In Privacy 2030: A New Vision for Europe, Christina D’Cunha completes Buttarelli’s work on defining a vision for European privacy in the new decade. That vision goes far beyond personal data and EU borders. Buttarelli focused on human dignity and ethics as it relates to multiple spheres of life – economy, society, and environment. Buttarelli claimed we need to not only protect the fundamental human right of privacy through legislation like the GDPR, but we also need to level the playing field so that people can effectively exercise their rights. Moreover, we need to create an environment where everyone can live a dignified life without being forced to reach for legal recourse through a variety of costly, piecemeal mechanisms. A privacy-friendly context would redistribute digital power from the very few global technologies companies to more stakeholders, especially consumers, by giving them true ownership over their data and the freedom to control their digital identities. Competition law and antitrust will be important tools toward this end. This environment will also be one where the average person, but especially vulnerable and underserved communities like those in rural areas, children, people of color, migrants, and refugees, are able to share in the benefits of technology. Ethical leadership will be central to designing rules of the game for modern technologies like AI and facial recognition to curb corporate and state surveillance so citizens can preserve their freedom of speech, thought, conscience, association, assembly, and movement. Finally, technology’s carbon footprint will have to be reduced if we are to secure a sustainable future. Buttarelli had faith that Europe can deliver on this vision, recognizing that it will need to partner closely with foreign digital competitors (US and Chinese governments and companies alike) to have impact beyond its borders. Our fates in this interconnected and globalized world, whether we like it or not, are intertwined.