Does the GDPR adequately protect individuals' privacy?

Privacy is a fundamental right and freedom that should be adequately protected by governments across the world. The regulation of this interconnected relationship between data and individuals’ privacy over their own data has faced significant scrutiny over recent years with the rise of internet mammoths, such as Google and Facebook, as well as the larger trend towards the mining of data, the regulation of such collection of data is essential.

General Data Protection Regulation:

Within the European Union data protection is secured and regulated by the General Data Protection Regulation (“GDRP”). The GDPR relates to the “fundamental rights and freedom of natural persons” surrounding the “processing and free movement of personal data”. The regulation aims to address the rising power of Big Data practices and the power imbalance between data controllers, who derive significant commercial benefit from the use of data, and users who bear significant harms associated with the usage of their own data. The legislation does this by placing explicit consent and anonymization techniques at the core of data processing. By focusing on these two specific aspects as a way to ensure data privacy and security, the GDPR fails to address not only the issues these concepts create but also how app developers should implement these.

There are two issues created by the GDPR regulation, and that consequently significantly affect individual users’ privacy and data. Firstly, by using individuals’ consent as the gatekeeper to the legal processing of data, the GDPR places heavy emphasis on internet platforms themselves to fulfill the necessary GDPR standards. Simply obtaining users’ consent to the processing of their personal data does not make the processing of such data lawful. However, the fact that it is up to the internet organizations themselves to implement adequate privacy standards raises accountability questions as to whether these standards are implemented in reality. Secondly, the GDPR stipulates that when data is anonymized, the need for explicit consent of the processing of the collected data is no longer required. At its core, by placing emphasis on anonymization techniques, the GDPR aims to reduce harmful forms of identification by preventing the singling out of natural persons and their personal information.

Is consent the correct standard for privacy protection?

The GDPR’s regime of privacy protection is painted as being supportive of individuals’ rights, giving them the choice on which data is collected and how it is processed. In reality, this results in nothing more than a legislative dodge, where obtaining consent from individuals is done only for the sake of processing their data.

So, now that we know that consent cannot and should not be the correct standard of privacy protection, the question becomes one of how privacy protection should be structured instead. In his speech “The Union, May it Be Preserved”, Professor Moglen draws inspiration from the environmental and ecological crises that have been brought on by industrial overreaching. This industrial overreaching modifies the climate in various damaging ways, threatening the survival of democracy by removing individuals' rights to a clean environment. In recent decades privacy and the infringement by big companies such as Facebook and Google on individual freedom of internet/ online privacy can be seen as another crisis resulting from an overreaching by internet companies that threatens the survival of democracy. The parallels here are undeniable. Firstly, both types of crises focus on the protection of certain types of rights. In terms of environmental protection, cases such as Robinson Township v Commonwealth of Pennsylvania have established “a right to a clean air and water” similar to the “ fundamental rights and freedoms of natural persons” surrounding the processing and free movement of personal data, as mentioned by the GDPR. Secondly, in contrast to how the GDPR (and other privacy regimes) incorrectly view privacy as transactional, the reality is that privacy is more ecological and relational among people. For example, viewing privacy as transactional with an individual being offered web hosting for social media comes with the caveat that their privacy is infringed and that the web hosting company can access their private communications on the site. Instead, viewing privacy as ecological and hence relational among all individuals means that the effort of protection is placed on protecting the privacy of individuals rather than ensuring big technology companies can use individuals’ data for for-profit purposes.

Consequently, if privacy harm as a crisis of democracy is akin to that of ecological disruption as a result of industrial overreaching, a similar approach to tackle these violations should be employed. Speaking specifically on the US Privacy regime, Professor Moglen, in his testimony on Internet Privacy, suggests that Congress should pass a National Privacy Policy Act which would work similar to the National Environmental Policy Act, setting “large, general societal goals and empowering all federal agencies in the conduct of their activities to achieve those goals”. While broad policy suggestions that empower all governments (or in the case of a National Privacy Policy Act, federal agencies) to protect the fundamental to a clean online environment, a preliminary step needs to be undertaken. As the online environment is similar to the physical environment, the success of the various government actions in reducing industrial overreaching has also occurred as a result of pressure by activist groups and their general educational campaigns. For example, Clean Creatives used to help climate activists help tell their stories and produce educational campaigns that highlighted to the public that oil and gas companies must change to avert a climate crisis. While various whistleblowers such as Frances Haughen have testified to various governments on the negative impact of big tech companies, these efforts have focused on specifically highlighting the actions of individual companies rather than educating the public at large. In order for a National Privacy Policy Act to be successful and to address the privacy of the online environment adequately, education campaigns as to the overreaching by big-tech companies need to become commonplace.