Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. June 2019
  6. Opinion: Mark Leiser

Opinion: Mark Leiser

Heralded as an empowering measure giving individuals control over their personal information, the GDPR is in practice being undone by its own complexity and has strengthened the position of big tech
17th June 2019 | Dr M.R. Leiser

Last month marked the first anniversary of the European Union’s General Data Protection Regulation (GDPR) coming into force. From news about Amazon’s Alexa listening to our private conversations, to facial recognition cameras installed in airports and taxis, the year since has been a steady drip of revelations about data collection practices of big tech firms and breaches that have exposed the personal information of millions of data subjects. 

Behind the scenes, though, reaction to the GDPR has been quite different. Businesses have struggled to come to terms with their obligations under the new law, while others have failed to conduct proper balancing tests between competing rights. The Information Commissioner’s Office has been overwhelmed with complaints, queries, investigations and enforcement proceedings. Opaque guidance from the regulator has not exactly made implementation easy. Who would have thought a fundamental right could be so difficult, requiring everything from data protection officers and impact assessments to determine the effects of processing? 

At the heart of the GDPR are data subject rights – tools that you and I can exercise against actors known as data controllers who make decisions about the way our personal data are handled. Yet for most of us outside of the data protection filter bubble, the GDPR looks responsible for nothing more than a disruption to the user experience. First it was an inundation of “consent” emails to continue marketing communications. Now it is the annoyance associated with website pop-up windows demanding users “accept to continue”. Ironically, both of these are not GDPR consent issues at all. The first issue relates to the e-Privacy Directive. Furthermore, a company does not need consent to process personal data if it has a legitimate interest in marketing to its customers.

Of course, we rarely exercise our data subject rights, and the Regulation meant to “rein in Google and Facebook” has done nothing of the sort. In the run-up to 25 May 2018, big tech doubled down, getting a fresh set of permissions for data processing. This has actually empowered big tech into processing even more data. The law of unintended consequences. Although the US regulator is expected to fine Facebook up to $5 billion for its data protection practices, it is safe to say that big tech has already internalised the costs of compliance. Last quarter, Facebook’s total revenue rose from $12.97 billion to $16.91 billion and Google reported first quarter revenue of $36.34 billion. When you are making that kind of money, it is safe to say that you can afford the GDPR’s regulatory burden. 

However, small businesses and sole traders that cannot afford data protection experts are now faced with the task of making correct decisions about compliance, under the threat of sanction. Subject access requests and right to be forgotten requests can, and often are, abused. A Glasgow-based criminal lawyer has sought advice whether a deletion request could be exercised against his firm from the very person named in an incrimination defence. Subject access requests have been lodged to gain access to judges’ notebooks from legal proceedings. Although it is easy to notch these up as vexatious requests, a legally required response takes time and money. Sometimes the request is not clear or the balancing test is confusing. Furthermore, no one really knows the extent of the definition of personal data and determining the legally appropriate response might mean extensive calls to the ICO helpdesk. 

As compliance fatigue sets in, the GDPR runs the risk of turning into the new health and safety, as in “We cannot do that because of GDPR.” Everyday activities like bin collection and taking photographs in public places have been erroneously prohibited “because GDPR”. 

What exactly is empowering in a rule interpreted in such a manner that parents are prevented from taking pictures of Junior in the school play? 

The GDPR has helped people understand the importance of data protection and provided data subjects with increased protection. It forces data controllers to think about processing and getting the proper ground for doing so. 

As time passes, new data protection norms will likely develop. Some say the next decade will bring more aggressive enforcement from national data protection authorities. 

But although heralded as a new privacy framework for data subjects, in reality it is a mess. 

The complexity of the GDPR has and will continue to be its undoing. Some have suggested that the Regulation is a living document and will help constrain the unmitigated harms associated with everything from profiling to targeted advertising. Until then, I remain sceptical.  

The Author

Dr M.R. (Mark) Leiser is Assistant Professor at Leiden Law School in The Netherlands 
Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • Book reviews
  • Reading for pleasure
  • People on the move

Perspectives

  • Opinion: Mark Leiser
  • Profile: Edward Sakala
  • President's column

Features

  • The menopause: the new protected characteristic?
  • The clinical psychologist as expert witness in family law
  • A worthwhile job
  • All litigants are equal... but some more so?
  • Children Act: the results are in
  • The UNCRC: in our stride, or a giant leap?
  • Power in the land

Briefings

  • Young lawyers and the retention issue
  • Domestic abuse cases on the way
  • Data protection in M&A deals – at crossed purposes?
  • When recognition is not enough
  • Strictly by the book?
  • Short pay?
  • Scottish Solicitors' Discipline Tribunal
  • Freed from chains?
  • About a planet
  • Public policy highlights

In practice

  • Tradecraft – one solicitor's experience
  • Dear employer...
  • Team building – for the Foundation?
  • Accredited paralegal practice area highlight: conveyancing
  • Accredited Paralegal Committee profile
  • What's new for paralegals?
  • Ask Ash
  • Managing the risk of workplace stress
  • Appreciation: Iain Alexander Macmillan
  • Revealed – by your AML certificates

In this issue

  • Why legal tech still needs a human touch
  • New partner? Time for a financial review
  • Client capture: a “people” platform

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited