GDPR: Social Media’s Biggest Test

No other EU regulation has drawn such a global interest in recent years as the General Data Protection Regulation, or as everybody has come to know it: GDPR. While the primary goal of the new law was to give (back) control to citizens over the use of their personal data and to unify existing regulation in EU member states under a single dedicated law, the first days of its coming to effect have created noticeable panic at many companies. Certain American media outlets resorted to block access to their sites from within the EU. 

Is GDPR a good or a bad thing? Can it lead to meaningful changes when it comes to privacy? Read our interview with Dr. Csaba Attila Hajdu, Associated Partner at bnt attorneys-at-law, who specializes in information and communications technology law. The company bnt attorneys-at-law is a law firm operating in nine countries across Central and Eastern Europe. 

CMDS: If you had to summarize, who is going to be affected by the GDPR? 

Csaba Attila Hajdu: The GDPR is an acronym for General Data Processing Regulation. It is a Regulation of the European Parliament and the Council, and it regulates how personal data of natural persons can be processed. So in general, the GDPR affects those who process personal data and who give personal data to another person. 

In practical terms - as we live in an information society - essentially everybody will be affected by the GDPR. By their very nature, all economic entities and other legal persons deal with personal data even if data processing is not part of their core activities. Regarding natural persons, an overwhelming part of the population uses the internet, cell phones, social media and networking services. In their case, it is almost obvious that the GDPR will affect the processing of their personal data. 

CMDS: What are the key opportunities that GDPR is bringing about and who is going to enjoy them the most? 

Csaba Attila Hajdu: Under the obsolete Hungarian legislation, the list of legal basis was extremely short. A controller had to obtain the natural person’s consent for data processing or the controller had to rely on the authorization specified by the law. If the processing was necessary for the performance of a contract made with the natural person, the controller still had to obtain the natural person’s consent. This approach was not entirely practical, because consent management results in many difficulties.  

Compared to the above mentioned situation, the GDPR introduces numerous new forms of legal basis. In the future, controllers may rely on those new legal bases instead of obtaining consent. Since no consent will be needed in numerous cases, those situations will be a lot simpler under the GDPR. I think both controllers and natural persons will enjoy the benefits. Controllers may spare their effort that they had to dedicate to consent management.  

CMDS: There is a lot being written about what changes the GDPR brings to companies and what individuals can do to protect their own data, but it’s not clear how this is going to be implemented. Can you explain what the implementation process will consist of at EU-level, but also at country-level? 

Csaba Attila Hajdu: The GDPR requires local legislation regarding numerous matters. For example, the local data protection authority has to be appointed. On country level, the Hungarian legislator has not yet adopted legislation that would be necessary for such implementation. As many draft bills have been circulated in the past six months, I do not wish to speculate what that new piece of legislation may bring about.  

CMDS: We are very much interested in the effects of GDPR on media and journalism. Are there any consequences stemming from this regulation on media outlets, individual journalists, even bloggers? 

Csaba Attila Hajdu: Naturally, the GDPR also applies to media outlets, journalists, bloggers, since their work rarely fits within the category of purely personal or household activity. Among others, this means that interviewees must be properly informed about the use of their interview. 

CMDS: Along these lines, what are the consequences of the GDPR on social media operations? 

Csaba Attila Hajdu: Although it is difficult to generalize, my assumption is that social media operations are legitimate parts of our society. Thus, they will be able to continue operating after some adaptation to the GDPR. At first, that adaptation will face some difficulties. Those difficulties stem from the fact that GDPR requires more communication between such companies and their users about rights, privacy, but let’s be honest, the average user is not really keen on these topics. That average user will find these forced communications interrupting the smooth experience that he or she expects from social media operations. Therefore, social media companies will have to find a way to comply with the GDPR without jeopardizing the user experience. That’s a tough pressure on developers of social media platforms, indeed. However, I believe that sooner or later some standard will emerge from this pressure and after a while, we won’t raise an eyebrow if the first use of a website will start with e.g. a privacy dashboard. 

Dr. Csaba Attila Hajdu graduated as Dr. Jur. from the University of Péter Pázmány in 2005. He joined the Budapest office of bnt attorneys-at-law in 2007, shortly after he completed his studies at the University of Cambridge, ICE. He commenced working with data protection and with related legal matters of IT and computing around that time. In order to complete his experiences with an academic outlook, he studied information and communications technology law at the University of Pécs, where he was awarded LL.M. in 2015. He wrote his thesis on certain data processing issues in an employment context under the supervision of Dr. András Jóri, the former data protection ombudsman of Hungary. In 2016, Csaba got promoted to Associated Partner at bnt attorneys-at-law.