Chasing Shadows: The Privacy-Cybercrime Tightrope Under GDPR
Picture form iStock
Since it was put into effect in 2018, the General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Drafted and passed by the European Union, this law exists to protect the data of its citizens, strictly enforcing its data security requirements. Penalties? Just pocket change – if your pockets are lined with tens of millions of euros.
From the €50 million fine handed to Google in 2019 for being as transparent as fog and about as trustworthy with consent on personalisation, to the more recent €1.2 billion fine on Meta (May 2023) for transferring European user data across the Atlantic without the adequate data protection mechanisms, the GDPR doesn’t just enforce rules – it’s rewriting the global landscape of data protection enforcement, one dramatic showdown at a time.
But every silver lining has its cloud, and the GDPR is no exception.
With its rigid rules on personal data processing, complete with restrictions on sharing (Article 44) and an obsession with explicit consent (Article 7), the GDPR can become a serious hindrance when it comes to fighting against the slippery shadows of the cybercriminal world.
As members of the Union, cybercriminals can exploit the right to erasure (Articles 15 to 22) to delete evidence or invoke the “right to be forgotten” (Article 17) as a shield against investigations; and the law’s insistence on explicit consent complicates proactive cybersecurity efforts, since organisations might be hesitant to thoroughly monitor suspicious activities for fear of stepping into the compliance quagmire.
In cross-border investigation cases, matters worsen further.
Transferring crucial data to law enforcement agencies like Interpol requires a bureaucratic tango (because the restrictions on transfers of personal data of Article 44 apply even to trusted partners and law enforcement agencies under other jurisdictions); and of course, the underfunded Data Protection Authorities (DPAs), while given a larger-than-life role by the GDPR, often lack the resources or expertise to truly support law enforcement in cybercrime investigations.
Add the requirement to anonymise (Articles 4 and 32) and minimise data (Article 5), which reduces the identifiability of the individuals whose data is being processed, and there is a perfect storm for legal headaches, delays, lost evidence, and frustrated investigators tiptoeing on a tightrope.
And, as the Europol’s Internet Organised Crime Threat Assessment (IOCTA) of this year informs, “the number of cybercriminals entering the market continues to grow steadily.”
Picture by Oleksiy Mark
A handful of proposals can be floated to streamline the GDPR enforcement process, and they might just be what is needed to turn this tightrope into, at least, a beam.
First on the list, a harmonising process, which would create uniform procedures for cross-border threats and complaints, aiming to have the European DPAs work in unison. With standardised timelines, shared investigative duties, and unified classifications, the whole process could move from a sluggish shuffle to a synchronised sprint.
Next, the obvious suggestion to provide the DPAs with more resources, especially in countries as Ireland, which handle a significant portion of GDPR cases. A boost in funding, technical expertise, and staffing would help clear backlogs and allow investigations to pick up speed – which is, clearly, desperately needed.
Then, facilitating collective action, so that consumer organisations can take the reins on behalf of individuals. Under the current framework, this would make it easier for the masses to seek justice without wading through legal red tape themselves. And introducing an economic analysis of such matters, borrowed from competition law to quantify the financial harm caused by GDPR violations, would finally put a price tag on privacy breaches at the hands of not companies, but cybercriminals.
And, of course, from a technology angle, upgrading complain management systems with real-time tracking tools and dashboards would ensure quicker responses and better oversight of violations.
The feasibility? Most of such ideas are not just wishful thinking: they are practical improvements that could go a long way in making GDPR enforcement more efficient against cybercrime. The challenge lies in the political will and investment needed to get these reforms off the ground. With the diverse priorities and resources of the EU States, achieving uniform adaption might be tricky.
The GDPR may be the shining knight of privacy, but its armour can be heavy when it comes to the fight against cybercrime. As the European Union struggles to find a balance, the clock is ticking; and, as everyone knows, time is the ultimate weapon.
Sources:
Comments