You are here: Home / News & more / News / Ecology of the GDPR

Ecology of the GDPR

Illustration de l'actualité - cliquer pour agrandir

Is the GDPR an obstacle?

Many will say yes.

Your DPO will tell you that this is not the case and even that the GDPR encourages innovative creation.
However, it is important to distinguish between day-to-day operational targets, generally achieved within a very short time-frame, and societal interests which tend to be spread over several years. It is necessary to reconcile the two.

The GDPR is not just a legal text but a context

The GDPR was not invented in a day. It is based on:

  • A first Directive on the subject in 1995 (Belgium had transposed it very faithfully - the Privacy Law now repealed by the Framework Law of 30 July 2018);
  • A European Charter of Fundamental Rights (cf. Articles 7 and 8). However, Article 22 of the Belgian Constitution includes the same principle: "Everyone is entitled to have their private and family life respected, except under the circumstances and conditions determined by the law. The law, decree or rule referred to in Article 134 guarantee the protection of this right." Yet, there were no computers in 1830;
  • Western democratic thinking on transparency with a view to laying the foundations of good governance in both the private and public sectors (cf. Art. 41 of the European Charter);
  • A European economic approach to the free movement of goods and services. Free movement also affects personal data as the title of Regulation 2016/679 shows.

The GDPR is a shared consolidated vision of several countries on privacy and personal data protection. It brings its share of new features and obligations.
The importance of this tool takes on its full meaning in a world where "data" is seen as a Holy Grail to be captured in order to ensure efficiency, objective decision-making and fairness.

Bad press, why?

In addition to the GDPR, a whole series of legal texts imposes the same obligations of transparency, respect for users and obligations on the owner of the services (IT, communication) deployed. For example, just take a look at:

  • The various texts which protect consumers (e.g.: Directive on unfair business-to-consumer commercial practices);
  • The 2012 e-Privacy Directive (in the process of becoming a regulation);
  • The new Telecoms Framework Directive, the European Electronic Communications Code (EECC), which came into force on 20 December 2018 (recently transposed into Belgian code on 21 December 2021) which recalls the obligations of telecom consumer protection;

So, why are we grumbling about the GDPR?

There are several possible reasons:

  • The GDPR requires justifying your data processing actions upstream which, up until now, was completely free;
  • Because of its principle of minimisation, both in terms of the personal data processed and the length of time this data is retained, or even by virtue of the right to be forgotten, the GDPR is, in a way, counter-intuitive in a culture of "memory", archives, records;
  • The GDPR is complicated because there is no standard recipe for implementing the obligations, it is usually applied on a case-by-case basis.
  • The relationship with the people involved is not only economic. Other values are involved: respect for fundamental rights and freedoms such as the right to expression. This ethical dimension is often at odds with other economic, political and time-related priorities.

And yet an asset

Beyond the rights conferred on data subjects and the obligations imposed on data controllers, the GDPR is a tool which offers other benefits.
Processing data represents economic and environmental costs.

The CNIL's (French Data Protection Authority) Digital Innovation Laboratory (LINC) cites the following figures: "53% of digital energy consumption is due to data storage." Le Monde reports that two searches on the Google search engine can generate about the same amount of carbon dioxide as boiling a kettle for a cup of tea. "Data requires a physical infrastructure in order to be stored, moved and interpreted. Infrastructure implies consuming resources from our geosphere, such as water, oil, electricity, minerals." (RTBF - "L'ère des données")

The GDPR lays down several important and inspiring legal principles:

  • Data minimisation - Only process data necessary for the purposes defined (throughout the life cycle) and the retention period;
  • Personal data safety - Curb data theft and at the same time the duplication – if not the enrichment - of data;
  • Privacy by design - Ensure that privacy and data protection are built into the design (of a website, program or database). A concept which may appear unclear but nevertheless practical. The European Union Agency for Cybersecurity (ENISA) has provided a file/manual which describes the implementation of this concept.

These principles can also contribute to digital sobriety.

The first two principles are self-explanatory. We navigate in questions of volume. However, the third requires an extension of the simple GDPR definition of privacy by design, which imposes a proactive and not a reactive attitude to personal data protection and, therefore, privacy, to include a complementary ontological notion of sobriety, sobriety by design.

Thus, for example:

  • When creating a form, only the necessary and essential fields must be completed;
  • If there is no need for traffic analysis on the website or app, there will be no need to install tools such as Google Analytics.
  • It will be necessary to develop a policy and automation for the retention of data stored in the cloud or on local servers.
  • Unnecessary data processing by solution providers will be identified and deactivated.

In conclusion

We must not believe that the GDPR serves to save the environment. This kind of consideration does not appear anywhere in the GDPR. However, some measures can be read, interpreted and reused for these ecological purposes.
It is true that the GDPR requires discipline when it comes to personal data management which is not easy and often strict. But perhaps, by giving itself a complementary objective, which without being amazing does concern human survival, the GDPR will be better accepted and integrated? The ecology of the GDPR is beneficial. The GDPR also contributes to the eco-design of our information systems.