Developing a Universal Data Protection Framework

In May 25th, 2018, the European Union's General Data Protection Regulation (GDPR) came into effect.

 min. read
January 11, 2021

n May 25th, 2018, the European Union's General Data Protection Regulation (GDPR) came into effect, with the objective of protecting citizens' rights on the Internet.

This created a different experience for us all on the web. On the one side, it made it difficult to navigate content, with all sorts of popups and dialogs that ask for permission before we can engage with a website.

On the other, it has had a profound impact in how we think of privacy, and how websites that do not take this into account will be perceived in the near future.

Source: European Progress

For those of us who tried to navigate the route to compliance, it became evident that in this age of information ubiquity, it becomes really important to tell your users what you do with the data you come into contact with.

It is vital to be transparent with your practices and provide a way in which they can have control.

Since not all websites are created equal, and many "free" services out there exploit the limits of what they can do with logging your visits and other details about you, there is a growing need to separate the good from the bad.

I think of it as a Secure Sockets Layer (SSL) certificate. Remember the padlock you see when you access any modern website? It used to be reserved for web apps or transactional systems, but it is used in all websites now in order to establish a secure connection from the web server to your browser.

Verifying an SSL certificate is key to a safe browsing experience, shown here is the certificate for our site:


Having SSL encryption is a basic necessity to guarantee data safety, yet most websites only saw this need when browsers started blocking access by default whenever the SSL certificate is missing.

Now the need for higher security is established, and there are great solutions to merely comply as well as going further with better features.

We would not really trust a company that does not use an SSL certificate, simply because it is comparable to not being able to identify them as actual owners and operators of the website.

In that sense, GDPR does the same for privacy rights, with many services now booming which offer a range of solutions to provide consent, have all terms clear for users, give options for cookies, and safely store a registry of decisions made by visitors.

Furthermore, it helps governments think about the importance of an even playing ground. If we all care about protecting our citizens' rights online, why not use the same rules? After all, GDPR is not trying to break the web, just make it safer.

The most common mistake I have seen in this first year of GDPR is companies complying only for European visitors, or European versions of their website. Also, in some cases, they do not comply and instead refuse any incoming traffic from Europe. This is missing the point, like pretending that regulation from one place will not influence regulation in another.

Source: Council of Europe

Indeed, it is possible to have a similar experience across websites all around the world if we all abide by these principles of what to do and what not to do. That is exactly what the European Union is trying to do with Convention 108, which was presented on March 28th in Brussels, at the Council of Europe.

What the Convention 108 achieves is to finally develop a global framework, and take the GDPR notions of privacy rights further, with the adherence of nearly 70 countries.

It is a great opportunity for the kind of positive leadership the world needs, one that places individuals' rights at the core of innovation, and contemplates future challenges from an angle of mutual trust and cooperation.

While currently it is difficult and cumbersome to enforce compliance of these terms, it is a great starting point for having a universal data protection charter of sorts, which can only be enforced if the effort is multilateral.

For consumers at least, the difference will be very clear: those brands that do absolutely nothing about GDPR will soon look like peddlers of counterfeit goods.