On 25 May 2018, the General Data Protection Regulation (GDPR) became law throughout the European Union. Because it’s a regulation rather than a directive, implementation is not left to the discretion of states; it became part of the legal code of every member of the EU, including the UK at the time. In essence, the GDPR is a set of rules designed to give EU citizens more control over their personal data. The drive behind the regulation was the need to bring the historical patchwork of laws and obligations around personal data, privacy and consent across Europe up to speed and make them fit for purpose in a world dominated by surveillance capitalism. On the face of it, the GDPR looks like a formidable legal instrument.
At any rate, in the run-up to its implementation, the prospect of it seemed to scare the wits out of companies and organisations large and small. It was a gold mine for legal and data-protection consultants. Even amateurs such as me were often approached by small community groups terrified that their email list would get them into trouble because they hadn’t explicitly asked every individual on it for their approval.
We have a powerful legal instrument that is not being brought to bear on the abusers