Law in the Internet Society
Maya Uchima

An Analysis of the EU’s GDPR

The Privacy Infringement Problem in the Modern World

It has become more and more apparent in today’s society that the concept of privacy has been eroded, redefined, and curtailed as the power of corporations have dominated. Consumers must actively and aggressively opt-out from having private information logged and stored by websites. Oftentimes, consumers are not given the option to prevent companies from collecting data from them. For example, EPIC’s lawsuit against Google, alleging that Google has been tracking in-store purchases by gathering information from credit card transactions and using that data to target ads specific to each consumer. Not only can purchases (on and offline) reveal one’s tastes and interests, but searches on the internet or viewing trends logged by a cable box can provide valuable data that can be used in profitable marketing strategies. There is an argument that these targeted ads serve only to make life easier, more convenient, and tailored. Nevertheless, with no choice given to the consumer, the discomfort one feels due to the ruthless invasion of private life far outweighs the possible benefit of finding out about a sale at a preferred shoe store. It feels like the fight for privacy has succumbed to the allure of a misguided trust in these mega corporations.

The GDPR’s Proposed Goals and Policies

In the preamble of the GDPR proposal, the drafters have set out general goals, the most important ones being: (1) the protection of the fundamental right of an EU citizen to his privacy and personal data, (2) the harmonization of the “protection of fundamental rights and freedoms of natural persons in respect of processing activities,” (3) the free flow of personal data between Member States, and (4) redefining the scope of “personal data.” Within these 99 articles, the European Council provides strengthened and new policies that hope to achieve these goals. These new policies apply to both “controllers” and “processors” of data who work in conjunction to carry out any activity concerning the usage of personal data. The GDPR hopes to afford consumers more freedom and control over the usage of their personal data- creating a consent regime where people can request to “be forgotten,” and erase data when it no longer serves a justifiable reason. The regulation supplies higher punishments if there is a breach and increased legal compliance regulations, including keeping more strict activity logs. It also defines “personal data” more broadly, now including IP addresses, where before it only recognized personally identifiable information (names, social security, etc.). Administrative agencies will provide independent supervision over law enforcement actions and certain remedies will be made available for the infringement of privacy if it is breached unfairly or disproportionately.

Although Noble, It Is flawed

The GDPR, however honorable in goal, is subject to several inferences that cannot currently exist. For example, a large flaw lies in the inherent gray-area of what constitutes consent. When faced with few options for providers of a product, consumers have little choice but to agree to terms that they may not approve of, including data collection. One option, as mentioned in lecture, is to begin the transition away from desiring these kinds of products. However, most people would rather risk losing control over their data than go through the hassle of protesting these practices. This exposes a deeper problem with society and its entrenched dependence on and trust in technology services, but on a higher level, points to issues concerning the value of consent in this era. With societal pressure compelling consumers to buy the latest gadgets, subscribe to cost-saving services, and glamorizing ease at the expense of independence, a consumer is lulled into freely giving consent, quickly clicking the “I agree” button, avoiding any hassle. The GDPR, in its hope that consumers will be ever vigilant and unswayed by appealing shortcuts in controlling their data, relies on an unrealistic expectation. Another issue is the great amount of trust consumers must place in their governments, administrative agencies, and companies. One must trust that once he requests to be “forgotten,” a company will swiftly and completely adhere. The realities, however are probably much more complex and slow-moving. Consumers are also aware enough that it will be difficult to ask them to blindly believe that their data is in perfectly secure hands now that these guidelines have been approved. Moreover, if a company fails to follow through on the request, does one have sufficient means to gain compliance through the government, its agencies, and the judicial system? Would the ultimate hassle turn off most complainants? Perhaps, and that is another instance of apathy induced by a reluctance to challenge the status quo, as mentioned above with consent. The GDPR, in setting up so many steps in prevention, investigation, and enforcement, has also created an environment of bureaucracy that is shrouded in mystery and places the control away from the public and squarely in the hands of the government and corporations.

What Are Some Solutions?

It is clear that data protection is a very difficult area to regulate, as the technology engineered to shield private information is constantly being hacked, revamped, and regulated by new rules. The blanket remedies proposed in the GDPR most likely will fail in the immediate short-term due to some of the problems discussed above. However, possible actions taken by consumers themselves may help in the implementation and effectiveness of the GDPR. Most significant is the level of awareness consumers have and their general technological savvy. The more informed the consumer, the more likely the offending practice will be sniffed out and protected against. Many consumers have become complacent because they know they do not understand how data privacy works and are willing to allow third parties to regulate it for them. With a more trained eye and the confidence in what is and is not permissible or dangerous, consumers will be better equipped to handle these violations.

This draft talks about the GDPR only to the extent of mentioning its preamble. There's no discussion of anything in the regulation, or of any of the machinery of implementation. To say that the bureaucracy is "shrouded in mystery" doesn't really account for the activities of the national public servants who are charged with the work, and who are in general not all that mysterious.

So I take it that the point of the draft is not in fact to analyze the GDPR or the system it creates. Nor is there a discussion—such as I hypothesized you might want to undertake—of the actual doubts expressed by critics who think the model of the data subject and her consent is problematic not because of doubt about what constitutes consent (an issue to which the regulation does speak in terms you don't discuss), but rather because consent is not a useful tool in dealing with environmental problems in which externalities, not individual choices, drive the policy calculus.

So from here, the route to improvement seems to me to lie through another effort at editorial self-scrutiny. What is the real subject of the essay? Let's get it said, clearly and without unnecessary decoration, at the top of the piece. Then you and the reader will both know what your goals are, and it will be easier for the reader to follow you as you achieve them.


Webs Webs

r4 - 01 Apr 2018 - 17:06:40 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM