If author Edwin Black is to be believed, IBM leased a mailing list system based on punch-cards to the Nazis in 1939. And they used it to identify Jews and target them for extermination, block by block.
Observers still argue whether IBM was culpable. But one thing is clear: Europeans have seen first-hand what happens when states apply technology for evil purposes.
If we understand it, the GDPR was intended to prevent misuse of personal information not only by email marketers but by governments. Especially by governments.
But countries have a loophole: a rule allowing restrictions of the “fundamental right of data protection.” In other words, privacy is not guaranteed as you think it would be under GDPR.
Case in point: “Article 23 includes as an objective for a restriction the protection of judicial independence and judicial proceedings,” National Law Review writes. How this relates to data privacy is not clear, but there is no time limitation on this restriction since the above goals are ongoing.
In contrast, restrictions adopted during a public health emergency “should be imposed for a specific period of time,” National Law Review states.
Those types of restrictions apparently don’t include “the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.” That’s scary enough.
The EU offers many caveats. For one, governments should not impose restrictions unless they have been mandated in legislation.
And “even in exceptional situations, the protection of personal data cannot be restricted in its entirety”, the EU states.
That means protection must be upheld in even when emergency measures are in place, “thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded,” it adds.
Finally, restrictions should be seen “as exceptions to the general rule allowing exercise of rights and imposing the obligations enshrined in the GDPR.”
All this may be very benign. But let’s say an EU state less devoted to democratic norms than the others passed a law containing certain restrictions, and used it to suppress dissent.
What do they do then?