Herkko Havumäki // 30 July 2024

The EU is a pan-European project historically rooted in the goal of maximising peace and freedom through regulations. The process of integrating and harmonising legislation in a community of liberal values such as the EU is inherently good, ensuring that it remains relevant and strong in a global future. However, there is always a risk of over-regulation in harmonisation projects, and unfortunately, this has been the case with the General Data Protection Regulation (GDPR). The regulation overreaches and thus restricts freedom.

The EU as a community of values

The EU’s original goal was to establish a lasting peace between constantly warring parties. Peace is a prerequisite for a liberal society, and without peace, there is often no room for freedom. Therefore, the EU is also inevitably a project of freedom. These two fundamental values are mentioned in the preamble to the EU Charter of Fundamental Rights.

The values that have taken root in Europe should not be taken for granted, as they are by no means accepted as self-evident in the face of competing value systems worldwide. On the contrary, we live in a world where the global machinery of violence is sustained by those for whom war, in the words of Clausewitzl, is a continuation of politics by other means. In the rituals of war, freedom is left outside the door along with peace.

Content and scope of the General Data Protection Regulation

Freedom is threatened not only by states of emergency such as war but also by more mundane issues such as the over-regulation of an organised society. A liberal social order does not function effectively when it is regulated excessively, as the resulting unpredictability undermines economic activity and obscures the meaning of key rights such as property rights. The invisible hand cannot promote functional exchange if it is shackled by an over-regulated society.

However, despite good intentions, the over-regulation described earlier has been implemented in the form of the GDPR.

The GDPR defines the rights of individuals in relation to the processing of their personal data. It grants individuals the right to access the data stored about them to understand how their personal data is collected, how it is processed, and to whom it is disclosed. They also have the right to correct any inaccurate information, to have their data erased from the register, to object to the processing of their personal data, and to restrict the processing of their personal data. Similarly, the GDPR imposes an obligation on the controller to ensure that these rights are respected.

As the GDPR is a regulation and not a directive, it does not require new legislation in member states but has a direct effect; that is, citizens of member states can invoke it the same as national law. Due to the primacy of EU law, in the event of a conflict, EU law must take precedence over national constitutions.

Legislatively, it is significant that the GDPR is not limited to its extensive regulatory text but is largely interpreted through the GDPR guidelines. In extreme cases, this means that the guidelines – which have been studied by a relatively small number of people – ultimately override the Finnish Constitution in a conflict of norms.

Problems with the GDPR

The GDPR restricts individual freedom and imposes unreasonable requirements on everyone, especially on small and medium-sized enterprises (SMEs), where individualism often thrives. It places a largely uniform regulatory burden on those it applies to – that is, on almost everyone – regardless of the scale and nature of their activities. It imposes substantial fines for minor ‘infringements’ and has provisions that entail even larger penalties up to hundreds of millions of euros (Article 83).

The regulation thus features a considerable disparity between the nature of the infringement and the resulting penalty. One-time incidents that do not directly cause damage to anyone can result in penalties of hundreds of thousands of euros.

The scope of the GDPR is often misunderstood as it applies to all data controllers. The scale or nature of the activity is not given significance in the regulation, which means that, for example, a small housing association and a large multinational company are treated equally.

The system is also flawed. Public operators often face lenient penalties, while private companies receive substantial sanctions for similar violations. Private companies are set to serve as examples by imposing intimidating sanctions that will act as deterrents in the future.

Moreover, the GDPR is not suited to our legal system. It differs significantly from the traditional system of fines that underpins administrative sanctions, which is based on the principle of deliberate pounding and counter-pounding. Thus, the large administrative fines imposed by the GDPR appear dubious, particularly in the trivial situations mentioned earlier, when compared to other sanctions within our legal system.

Criminal sanctions and, for example, sanctions for clear misconduct in the workplace pale in comparison to the compensation amounts distributed under the GDPR. The GDPR can have a significant impact; for instance, a taxi sticker not indicating that both pictures and audio are being recorded can lead to severe penalties.

The GDPR does not guarantee good administration or promote the use of the least intrusive means of control. On the contrary, GDPR sanctions are imposed after a formal consultation, even if the errors were not brought to the attention of the controller earlier and an opportunity to correct the procedure was not offered. The sanctions are determined by the college, which imposes them on a largely speculative basis. In many cases, the authorities essentially assume that more serious damage could have occurred, and this assumption is used to justify the imposition of a significant penalty.

All of this undermines the predictability of the application of the law, legal certainty, and the freedom of those operating in society. In Finland, domestic GDPR sanctioning practices show that companies believe that they have tried to comply with the GDPR as they understood it, and any deviations from the authorities’ interpretation were not intentional.

The GDPR discourages innovation and healthy risk-taking, instead encouraging companies to prepare for ‘GDPR horror scenarios’. In its current form, the regulation cannot be considered a friend of the community of liberal values.

The cost of preparing for the GDPR and its practical application can only be estimated, but it is likely to be staggering.

The GDPR and its guidelines are exactly the kind of EU legislative ‘rapture hole’ that Thomas Wilhelmsson has warned about: the regulation has emerged in a context where its appearance and effects are neither anticipated nor desired.

The true content of the regulation is known only to a few, even though it affects everyone. It turns a large number of operators into offenders and threatens them with an administrative sanction of a criminal nature, which has become the standard equivalent of a criminal penalty.

This analogy brings to mind the theory of stigma, which is well-known in criminology. According to this theory, the stigma of being labelled a perpetrator can further encourage delinquency and foster general indifference to social norms. The legitimacy of a community of values is undermined by stigma.

Unfortunately, the GDPR is not a trivial matter. The question is: what should we, as European citizens, do now that the EU is emphasising its role as a peace project but seems to be neglecting the promotion of freedom? The EU must stay true to its roots and ensure that freedom is at the heart of all regulations, rather than control and restriction. While it is clear that data protection standards are needed, the regulations should be improved beyond what we currently have. The GDPR does not embody the concept of freedom.

This blog was originally published by Libera in Finnish.