HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers


Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours


Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

General Data Protection Regulation:Triumph for Privacy or the End to Expression?

Article Cover Image

About The Author

Samuel Cuthbert (Private Law Manager)

Sam read Philosophy at Durham University, followed by the GDL funded by the Lord Brougham Scholarship and a Hardwicke Scholarship from Lincoln's Inn. Sam is now spending a year, prior to undertaking the BPTC, to develop his legal interests in a paralegal capacity. His legal career is starting in a M&A paralegal role at a large Viennese firm. He is a passionate speaker and has his sights set firmly on a career at the bar.

[Read More]

[A] man walked into a Target outside Minneapolis and demanded to see the manager. He was clutching coupons that had been sent to his daughter, and he was angry, according to an employee who participated in the conversation.

“My daughter got this in the mail!” he said. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

The manager didn’t have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man’s daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

A story that appeared in the NY Times.

There are few stories that better illuminate the difficulties in regulating the dissemination of digital data. Circumstances in which a supermarket becomes aware of a customer’s pregnancy prior her having father becoming so demonstrate the sensitivity of the information that we provide in seemingly innocuous transactions. The natural question arising from this asks how we best protect that information in a commercially sensitive way.

The General Data Protection Regulation (GDPR) seeks to provide an answer. Due to come into force in the latter stages of 2018, some have already described it as “a milestone of the digital age”. This is a contention with which I largely agree, for the principal reason that the GDPR represents a teething exercise for privacy law across Europe; and whilst it still has some way to go, we must celebrate that privacy law is now developing through the GDPR to allow effective protection of technology users. This is something that has come to the fore dramatically following the recent leak of data from law firm Mossack Fonseca, a series of events which sharply underlines the level of need for cogent technological safeguards.


A crucial change made by the GDPR alters the rules regarding consenting to the harvesting of personal information. Data users, where the data controller relies on consent as their legal basis for processing, must now consent to their information being processed in a way, which is “freely given, specific and informed.” Data controllers – the persons deciding the manner in which data is stored and used– must be able to establish that consent has been given for data to be used in a given way. Given the prevalence of digital data collection, such ‘harvesters’ of personal data are typically website or application operators.

Recital 25 of GDPR allows that a positive action indicating consent could include ticking a virtual box:

Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.

However, acquiescing to a pre-ticked box, or remaining silent regarding data processing will not cohere with the consent requirements laid out in the GDPR.

Whilst consent given before the GDPR comes into force will remain valid until it is deemed too old (typically a year or so after consent has been given with no affirmative action in the interim), the GDPR goes a good deal further than its legislative predecessor ever did in this regard.

Whilst Vidal-Hall v Google made it clear that under the Data Protection Directive consent wording could not be buried deep within click-wrap terms and conditions or privacy policies, it was possible to obtain consent by providing a user with a pre-ticked checkbox with suitable wording, which, for all intents and purposes, was an opt-out, not an opt-in. This will no longer be the case – there is no longer scope for inadvertent assent to data processing.

The Right to be forgotten

The GDPR goes further; it also empowers the individual with the facility to require that their data is deleted once they no longer consent to its processing, where the data controller originally relied on consent. Under the DPA, you can withdraw your consent to processing, where that is what the data controller relied on, for any number of particular purposes, but you could not demand that your data was deleted once you did. The right to be forgotten was widely discussed in the recent case of Google v Spain, an excellent analysis of which can be found here. However, it should be noted that the “right to be forgotten” (properly called, “the right to erasure”) under the GDPR is not identical to what was discussed in Google v Spain. The right to erasure under the GDPR applies across the board, not just to search engines.

Penalty for breach

Failure to cohere with these the GDPR’s obligations engages a provision to impose fines for infringements. These could stretch to the greater of €20m or 4% of annual turnover for the data controller or processor, taking into account the nature, gravity and duration of the infringement.

At the heart of these changes is the imposition on data controllers to do more before they can use an individual’s personal information. The focus of this legislation is pointedly in the direction of the privacy of the individual. Where that individual’s right to privacy was once subject to the often-huge imbalances of power between themselves and their data controller, they now have a statutory framework protecting them, allowing digital privacy law to develop teeth in the process.

Privacy at the Price of Expression?

However, there is a case to be answered that this teething process has seen privacy law develop at the expense of Freedom of Expression.

Point 3.3 of the explanatory memorandum to the GDPR lays out the importance of balancing the privacy rights embedded within the regulation, with other fundamental rights:

The right to protection of personal data is established by Article 8 of the Charter and Article 16 TFEU and in Article 8 of the ECHR. As underlined by the Court of Justice of the EU , the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society.

This section then expands to discuss other fundamental rights enshrined in the Charter that may be affected, the first of which is Article 10: Freedom of Expression.

There has been discussion centred on the extent to which GDPR effectively balances the rights to privacy and expression. There is a convincing argument to be made asserting that when a data controller or processor fails to comply with a right request, the complaining party has the facility to take the data controller or data processor to the national regulator (in the UK the Information Commissioner’s Office (ICO)). The ICO then seeks to resolve the complaint.

By contrast, the legal avenues available for asserting expression rights are minimal. There is no ICO equivalent for ensuring rights of expression. Naturally the focus of a body like the ICO is on balancing expression and privacy, but there is no form of redress should a situation arise in which a false accusation is made of privacy rights being constricted. What is the data controller or data processor to do? Almost certainly, there is no scope to seek compensation through the courts, as no cause of action for such a claim yet exists. The concern, as is laid out in this Stanford article, is that this tilts the playing field away from equilibrium of expression and privacy, in favour of the latter.

Defenders of GDPR will, at this juncture, direct you to the journalistic exemption built into undertaking 121 of the regulation following thus:

(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights… 

This exemption is certainly a positive factor in redressing the problem, but it does not go far enough. In the normal course of events, the data controller would process the data as he/she wished until the ICO received a complaint and obligated them to act differently. At this point the ICO could, and would be likely to, take into account freedom of expression, as would a court. This is not a point in dispute. 

The consideration would be prefaced by a claim contending infringement of privacy rights. That is to say that the consideration of freedoms of expression would be in the context of a privacy complaint, as complaints made to the ICO concern misuse of data. Deliberations regarding freedom of expression would come secondary, therefore, to establishing whether data protection laws have been infringed.

Resultantly, the scope to consider and protect freedoms of expression is limited when compared with a potential system in which freedom of expression complaints could be heard in their own right.

Fixing this problem within the text of the GDPR is now impossible. The answer appears to be to allow data regulating bodies such as the ICO to hear complaints for breaches of both the right to privacy and the right of expression. How such a complaints system might work would likely require a whole other article, but in short it would involve an extension of the ICO’s role and powers to hear a broader range of grievances, with an accordingly extended power to sanction.


Hitherto, privacy law has not been as effective as it might have been. In this regard, I conclude with three points. First, I contend that the GDPR is a much needed teething exercise for privacy law, refocusing the statute on the freedoms of the individual at stake and imposing serious sanctions in the event that they are breached. Second, it is my contention that we must pay caution to the speed of that teething process for fear that its bite may quickly outmatch that of its compatriot fundamental freedom of expression. Third, it is my hope that as technology progresses at a continually increasing rate, there will remain a concentration on establishing and maintaining a balance of our fundamental freedoms. To that end, the GDPR - whilst in need of tinkering – is a step in the right direction.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Privacy Law, The GDPR

Comment / Show Comments (0)

You May Also Be Interested In...

GDPR: Challenges for Businesses, Eighteen Months On

3rd Dec 2019 by Kerry Gibbs (Guest Author)

NT1 & NT2 v Google Pt II: Hiding Criminal Convictions

12th Jun 2018 by Connor Griffith

NT1 & NT2 v Google Pt I: The Right to be Forgotten

8th Jun 2018 by Connor Griffith

Enhancing Privacy and Data Protection: The GDPR and the Road Ahead

5th Jun 2018 by Dena Anee

A Dose of Privacy? The Impact of GDPR on the NHS

29th May 2018 by Ceylan Simsek

An Introduction to the GDPR and its Impact on Competition Law

25th May 2018 by İnayet Aydeniz Baytaş

Section Pick May

Coronavirus and Contracts: Is Frustration in Play?

Editors' Pick Image

View More


Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015


Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription