Regulating Privacy: What Is the Point?

On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR) (1), replacing a directive dating back from 1995. This regulation is 88 pages long and intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR).

The cyberspace has no borders. A company located in the Silicon Valley can offer its services online to the entire world and collect all kinds of data relating to its users, without having any branch outside of the United States. On the contrary, regulations are very often bound to a specific territory. In certain cases, rules apply to categories of legal entities linked to an organization. But in any case, such limitation of the regulation’s scope to certain places or entities seems to make regulation of privacy on the Internet impossible. As a result, one could question the efficiency of a regulation, especially when it comes to the enforcement of the rights it protects on the other side of the planet. However, this limitation to a territory with respect to data protection should be nuanced. In theory, the GDPR will be applicable to all companies offering services or collecting information regarding European behaviors through a website accessible in Europe (3). In practice, under the current Directive, the European Court of Justice (ECJ) applied the European data protection law to a processing carried out by Google Inc. in California. The ECJ decided that, despite the fact that Google's Spanish entity was not involved directly in the processing of personal data by Google Inc. (the Spanish entity was only in charge of selling advertisements), such processing took place "in the framework" of an establishment of Google, located in Spain (4). Even though the global aspect of the Internet does not allow to regulate every entities processing personal data, regulation can have an extraterritorial effect.

Under European law, data protection is not just a consumer’s right to be properly informed: it is a fundamental right, incorporated in the Charter of Fundamental Rights of the European Union. Article 8.1 of the Charter states that: “everyone has the right to the protection of personal data concerning him or her”. I think that explaining to the citizens that a violation of data protection law constitutes a violation of their fundamental rights is a powerful symbolic and educational tool. In today’s world, absent any regulations, the notion of privacy would be forgotten faster and progressively, nobody would stand for it anymore. During the recent years, some citizens have successfully invoked their rights under the directive in courts (Costeja Gonzalez, Max Schrems). The rights of the individuals have been extended under the GDPR. As an example, the right to information requires now a more detailed description of the processing activities (5). Thanks to these legal requirements, reading such privacy policy will give a lot of information to the individuals and enables people for whom privacy is a concern to know under which conditions the data relating to them will be processed, and to choose the provider that will not spy on them. Of course, you can lead a horse to water, but you cannot make it drink.

One of the new features of the GDPR is the possibility for data protection authorities (DPA) to impose significant fines (up to EUR 20,000,000 or 4% of the global turnover of the infringer, whichever is higher) (6). Under the directive, some countries did not foresee the possibility to impose fines. Where such fines were foreseen, the amount at stake were also much lower than under the GDPR. This creates a significant economic risk for companies collecting personal data; certain practices could not be as profitable as before, should such a fine be imposed.

I think that the adoption of regulation is not incompatible with other ways to ensure privacy, such as promoting the use of open sources software. Even if regulation is not a perfect solution towards privacy, I think it is one step in the good direction. It gives enforceable rights to large categories of individuals against a large category of companies that collect their behaviors. As emphasized above, it also helps to raise awareness and to a certain extent, to empower the individuals. By enforcing their rights, individuals could request data protection authority to impose significant fines, thereby creating an economic risk for these companies and a potential preventive effect.