Law in the Internet Society

View   r3  >  r2  ...
KatharinaRogoschFirstEssay 3 - 16 Jan 2022 - Main.KatharinaRogosch
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Does the GDPR adequately protect individuals' privacy?

Changed:
<
<
In the modern world of technology, where internet mammoths such as Google and Facebook, collect large amounts of personal data, the regulation of the collection of such data is essential. The interconnected relationship between data and individuals’ privacy over their own data needs to be examined to understand whether the current framework can achieve its own aims. This requires a two-set analysis: first, an examination of the regulation of data privacy and whether the standards imposed actually result in said protection; and secondly, an evaluation as to whether privacy should be protected by other means that it currently is.

To aid in this analysis, the European General Data Protection Regulation (hereinafter “GDPR”) will be examined. This is due to the fact that it is one of the strictest data protection laws enacted worldwide, and an examination of such a strict privacy and data-protection standard should provide clarity as to whether adequate privacy protections have been achieved.

This language is unbearably bureaucratic. You need to give readers a reason to read what you are writing, by showing them that you have something to teach them. That means putting your primary idea forward, simply and forcefully, so that someone who understands the subject has the best possible reason to continue reading.

>
>
Privacy is a fundamental right and freedom that should be adequately protected by governments across the world. The regulation of this interconnected relationship between data and individuals’ privacy over their own data has faced significant scrutiny over recent years with the rise of internet mammoths, such as Google and Facebook, as well as the larger trend towards the mining of data, the regulation of such collection of data is essential.
 

General Data Protection Regulation:

Added:
>
>
Within the European Union data protection is secured and regulated by the General Data Protection Regulation (“GDRP”). The GDPR relates to the “fundamental rights and freedom of natural persons” surrounding the “processing and free movement of personal data”. The regulation aims to address the rising power of Big Data practices and the power imbalance between data controllers, who derive significant commercial benefit from the use of data, and users who bear significant harms associated with the usage of their own data. The legislation does this by placing explicit consent and anonymization techniques at the core of data processing. By focusing on these two specific aspects as a way to ensure data privacy and security, the GDPR fails to address not only the issues these concepts create but also how app developers should implement these.
 
Changed:
<
<
Within the European Union data protection is secured and regulated by the General Data Protection Regulation. The GDPR aims “to give citizens and residents of the European Union and the European Economic Area control over their personal data, and to simplify the regulatory environment for international business by fully harmonizing the national data laws of its member states”. However, the GDPR does not only concern privacy, rather its objectives relate to the “fundamental rights and freedoms of natural persons” surrounding the “processing and free movement of personal data”. Consequently, the GDPR also aims to address the rising power of Big Data practices and the “economic imbalance between [these companies] on one hand and consumers on the other”.

The GDPR addresses the power imbalance between data controllers, who derive significant commercial benefit from the use of data, and users who bear significant harms associated with the usage of their own data. The legislation does this by placing explicit consent and anonymization techniques at the core of data processing. However, by focusing on these two specific aspects, the European legislators construct “structural regulatory spaces that fail to understand the ongoing challenges in delivering acceptable and effective regulation”. By exclusively concentrating on consent and anonymization techniques as a way to ensure data privacy and security, the GDPR fails to address not only the issues these concepts create but also how these should be implemented by app developers.

There are two issues created by the GDPR regulation, and that consequently significantly affect individual users’ privacy and data. Firstly, by using individuals’ consent as the gatekeeper to the legal processing of data, the GDPR places heavy emphasis on internet platforms themselves to fulfill the necessary GDPR standards. While simply obtaining users’ consent to the processing of their personal data does not make the processing of such data lawful, the fact that it is up to internet organizations themselves to implement adequate privacy standards says very little in terms of the protection that such standards afford in reality. Secondly, the GDPR stipulates that when data is anonymized, the need for explicit consent of the processing of the collected data is no longer required. At its core, by placing emphasis on anonymization techniques, the GDPR aims to reduce harmful forms of identification by preventing the singling out of natural persons and their personal information.

No, it's just a legislative dodge, resulting from the importance of seeming to so something without actually doing it. It's part of the necessary diffusion of analysis required by the framework of consdent.

However, as Narayanan and Shmitikov’s Paper on De-anonymization of Large Datasets and Oberhauses’s article on anonymous browsing data underline, de-anonymization of large data sets is standard industry practice for a majority of internet platforms.

If this is an important reference, link to it so the reader can follow your thinking. If, however, this is merely confirmation that your summary of the legislative purpose is inadequate, then this is not a matter of subsequent discovery, but rather of intention ineffectiveness. So the real question is, was everyone aware that this was a loophoile when it was enacted?

Is the GDPR the right standard for privacy protection?

As outlined above, there are several issues associated with using the GDPR as the standard for privacy protection, the two biggest ones being treating consent as the standard for privacy, and the ability to de-anonymize data. Despite these issues, there are a number of benefits associated with using GDPR as the standard for data protection, namely that it functions in what Profesor Moglen as part of his “The Union, May it Be Preserved” speech in a transactional sphere. While Professor Moglen sees this as a problematic quality of the GDPR, the fact that the GDPR functions as a transaction where users consent to collection and usage of their data as a “transaction” for which they receive the benefit of accessing internet platforms means that the regulation can easily be implemented by any type of corporation.

What? Why is compliance with environmental regulations not for everyone?

The issue with the GDPR is that the standards of implementation are too lax, and upon drafting the GDPR in 2018 the impact of de-anonymization technologies was not sufficiently considered.

That's not my issue at all. Have we switched from that inquiry to a different one, and if so how are they related? Here is the real heart of your essay, where the actual thinking is going on, so clarity and organization are overwhelmingly important.

One could argue that if amendments were implemented into the GDPR that would tackle the issues of de-anonymization technologies the current privacy issues would be adequately addressed.

Who could argue that? How could closing one loophole be a sufficient response to a fundamental architectural misdesign?

However, such an argument fails to address the fundamental power imbalance created by internet platforms such as Google, Yahoo, and Facebook, where individual users are not given a choice as to how their data is processed.

Except their decision not to provide it in the first place?
>
>
There are two issues created by the GDPR regulation, and that consequently significantly affect individual users’ privacy and data. Firstly, by using individuals’ consent as the gatekeeper to the legal processing of data, the GDPR places heavy emphasis on internet platforms themselves to fulfill the necessary GDPR standards. Simply obtaining users’ consent to the processing of their personal data does not make the processing of such data lawful. However, the fact that it is up to the internet organizations themselves to implement adequate privacy standards raises accountability questions as to whether these standards are implemented in reality. Secondly, the GDPR stipulates that when data is anonymized, the need for explicit consent of the processing of the collected data is no longer required. At its core, by placing emphasis on anonymization techniques, the GDPR aims to reduce harmful forms of identification by preventing the singling out of natural persons and their personal information.
 
Deleted:
<
<
Instead of working within the confines of the GDPR as it exists currently, Professor Moglen argues that we need to challenge our basic assumption that privacy and our data is part of the “transaction”. To some extent this idea has merit, in that why should our own personal data be a transactional token by which our privacy is achieved?
 
Changed:
<
<
But that's not my idea at all.
>
>

Is consent the correct standard for privacy protection?

 
Added:
>
>
The GDPR’s regime of privacy protection is painted as being supportive of individuals’ rights, giving them the choice on which data is collected and how it is processed. In reality, this results in nothing more than a legislative dodge, where obtaining consent from individuals is done only for the sake of processing their data.
 
Changed:
<
<
In this sense, Professor Moglen’s definition of privacy as “ecological” and “relational among people” rather than an issue of individual consent is one that seems to provide a stricter standard of privacy protection.
>
>
So, now that we know that consent cannot and should not be the correct standard of privacy protection, the question becomes one of how privacy protection should be structured instead. In his speech “The Union, May it Be Preserved”, Professor Moglen draws inspiration from the environmental and ecological crises that have been brought on by industrial overreaching. This industrial overreaching modifies the climate in various damaging ways, threatening the survival of democracy by removing individuals' rights to a clean environment. In recent decades privacy and the infringement by big companies such as Facebook and Google on individual freedom of internet/ online privacy can be seen as another crisis resulting from an overreaching by internet companies that threatens the survival of democracy. The parallels here are undeniable. Firstly, both types of crises focus on the protection of certain types of rights. In terms of environmental protection, cases such as Robinson Township v Commonwealth of Pennsylvania have established “a right to a clean air and water” similar to the “ fundamental rights and freedoms of natural persons” surrounding the processing and free movement of personal data, as mentioned by the GDPR. Secondly, in contrast to how the GDPR (and other privacy regimes) incorrectly view privacy as transactional, the reality is that privacy is more ecological and relational among people. For example, viewing privacy as transactional with an individual being offered web hosting for social media comes with the caveat that their privacy is infringed and that the web hosting company can access their private communications on the site. Instead, viewing privacy as ecological and hence relational among all individuals means that the effort of protection is placed on protecting the privacy of individuals rather than ensuring big technology companies can use individuals’ data for for-profit purposes.
 
Changed:
<
<
Stricter/less-strict is not a useful way of categorizing systems of regulation based on fundamentally different premises. It's just adjectives from news stories, not analysis.
>
>
Consequently, if privacy harm as a crisis of democracy is akin to that of ecological disruption as a result of industrial overreaching, a similar approach to tackle these violations should be employed. Speaking specifically on the US Privacy regime, Professor Moglen, in his testimony on Internet Privacy, suggests that Congress should pass a National Privacy Policy Act which would work similar to the National Environmental Policy Act, setting “large, general societal goals and empowering all federal agencies in the conduct of their activities to achieve those goals”. While broad policy suggestions that empower all governments (or in the case of a National Privacy Policy Act, federal agencies) to protect the fundamental to a clean online environment, a preliminary step needs to be undertaken. As the online environment is similar to the physical environment, the success of the various government actions in reducing industrial overreaching has also occurred as a result of pressure by activist groups and their general educational campaigns. For example, Clean Creatives used to help climate activists help tell their stories and produce educational campaigns that highlighted to the public that oil and gas companies must change to avert a climate crisis. While various whistleblowers such as Frances Haughen have testified to various governments on the negative impact of big tech companies, these efforts have focused on specifically highlighting the actions of individual companies rather than educating the public at large. In order for a National Privacy Policy Act to be successful and to address the privacy of the online environment adequately, education campaigns as to the overreaching by big-tech companies need to become commonplace.
 
Deleted:
<
<
While an ecological conception of privacy could provide a much stricter standard of individuals’ data protection, the means of achieving such protection are less concrete. Namely, what standard of privacy is going to be the baseline to which all protection is measured (if an ecological protection of privacy is adopted akin to environmental protection)?
 
Deleted:
<
<
That would be the question for the next draft of the essay, which can take all this preliminary out and get down to the thinking business.
 

\ No newline at end of file


Revision 3r3 - 16 Jan 2022 - 23:23:08 - KatharinaRogosch
Revision 2r2 - 07 Dec 2021 - 13:16:41 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM