Introduction
The General Data Protection Regulation (the GDPR) has transformed the way big companies are handling data not only within the EU but also internationally. The way data is now processed is not only different to prior rules, but there is now an obligation to notify citizens about the way their data is handled by authorities and private firms. In this article I will discuss consumers' level of perception on how their data is being processed and potentially how this could be reformed to ensure greater clarity and comprehension. I will also examine whether large companies and governments (under their existing obligations) should make this clearer for consumers. While examining the impact these interactions have on our human rights.
The law as it is
EU privacy law has been transformed with the introduction of the GDPR, which took effect in May 2018. The GDPR replaced an old Directive, 95/46/EC. Previously named the Data Protection Directive, the rules it laid out about data protection were contradictory. The rules were non-binding and could vary considerably depending on the EU state the data was being handled in. Leading to some confusing differences between what data processing and protection looked like across EU states. To tackle this issue, the GDPR “aims to streamline cooperation between data protection authorities (DPAs) when enforcing the GDPR in cross-border cases”– as stated in the European Commission report.
Significantly, the GDPR also was implemented to protect ‘fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data’. The GDPR became enforceable by law through direct effect for companies operating in the EU from May 28th, 2018 (and for companies operating abroad but still dealing with EU individuals data),. For some context, the impact of change that this regulation made can be measured by the length of time companies were given to implement it. The GDPR was first recognised as law in the summer of 2016, but so as not to underestimate the seismic shift in the way data is now handled and protected, authorities and private firms had a two year implementation period to ensure correct legal compliance.
The situation now
Big Tech continues to dominate data collection across the world, with particular emphasis on the big three social media platforms: Facebook, Twitter and Instagram. Brett Dembrow, a writer for the University of Miami’s Business Law Review, has commented at length on Big Tech’s high exploitation of consumer data. However what I would like to discuss on this matter is not whether EU privacy law is doing enough to protect consumers from the exploitation within companies per se, but whether EU privacy law is clear enough for consumers to understand what is happening with their data. Hence this article’s focus on clarity of consent and consumer perception of data protection laws.
Public Awareness and Perception
In theory, the EU has many safeguards in place to protect its citizens from giving consent unintentionally to handlers to collect their personal data. This includes Member States being obligated to create independent public authorities to raise awareness on rights of individuals; a principle taken from Article 57 of the GDPR where it is stated that each “supervisory authority shall on its territory:... promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing” which is being conducted, through these independent public bodies. In the EU, an impressive 67% of respondents to the Special Eurobarometer survey on the GDPR knew about the existence of the GDPR. While this is evidence to suggest that these safeguards are enough there is debate as to whether the right to protection of personal data is being upheld to an adequate standard.
Although the GDPR’s existence is widely known, further statistics demonstrate that a large quantity of people do not know what it really does. In the UK 37.3% of online users are worried about how companies are using their online data, compounded by 41.3% declining cookies in websites, at least some of the time, since leaving the EU. Suggesting that, despite the GDPR and the subsequent Data Protection Act 2018 being implemented into UK law, consumers feel unsure around the extent to which their data is being fairly processed. Furthermore, if this proportion of people feel uncertain as to how their data is being processed by companies, it makes one wonder about the level of education that people within the UK are receiving– despite the aforementioned obligation upon independent authorities to educate individuals about their data and rights.
Experiences in the EU are similar; it is estimated that 41% of people do not want to share their information with private companies which is almost double the percentage who would not feel comfortable sharing their data with public organisations, highlighting perhaps a sense of distrust towards how private companies are handling personal data, which could be fuelled by a lack of education around the topic. While member states are under the previously mentioned active obligation to inform their citizens about their rights to protection, It is revealing that only 5% of those surveyed said that they would share facial images or finger prints with private companies. If there were adequate public information on the matter, residents would therefore know that one of the key principles of the GDPR is the ‘right to be forgotten’. This process of erasure can take place where an individual retracts their consent for the data to be held, the process can begin on multiple grounds. For instance, when there is no legal ground for the data to be held or when the data collected is no longer necessary for the purposes it was collected on. I believe that knowing these facts would help people feel more certain about allowing companies to collect, process and look after their data well.
Problems with Consent
Article 7 of the GDPR outlines what it means for authorities and firms to ask for ‘consent’ for data handling. Essentially what is to occur on websites (or on any other platform requiring an individual to consent to their data being processed) is the controller must be able to demonstrate that ‘the data subject has consented to processing of his or her personal data’. Article 7(2) goes on to elaborate that if the declaration is in written form requesting consent it must be in ‘an intelligible and easily accessible form’ and must be ‘clearly distinguishable from the other matters’, otherwise the Regulation will be infringed upon. However, as Dembrow explores, social media companies, like Facebook, bypass these rules by making users accept their terms and conditions as a way to use their accounts. As a result, users will, often unknowingly, give consent for their data to be sold to third parties otherwise their use will be restricted on social media platforms. Dembrow summarises the problem effortlessly, “Social media companies argue that by agreeing to their terms and conditions and privacy policies, users relinquish their expectation of privacy while using the platform and its associated services.”
With prior statistics being considered, it is telling that there are swathes of individuals in the EU and the UK alike that feel apprehensive to give their data away because there exists a large amount of uncertainty in how it will be processed.
Interference with Human Rights
When considering the question of whether data protection is doing enough to safeguard individual autonomy, one has to examine whether there are any severe interferences with human rights. A good place to start is the EU Charter on Fundamental Rights, of which I believe there are some gross breaches.
If one is to examine Article 25, the rights of the elderly, I believe that the European Union has not done enough to protect their rights. Under the policy it is directed that the elderly should be able to ‘lead a life of dignity and independence and to participate in social and cultural life.’ If assessed through a purposive lens this right is evidently infringed upon. Alarmingly, Age UK has found from their analysis that almost one in four elderly people (23%) do not know how to turn on a device and enter any account login information as required and a further 24% do not know how to open an Internet browser (like Google Chrome or Safari). If applied to one's own experiences, how often does one get asked by their elderly relatives about how to perform simple tasks on their gadgets? For me, I am consistently asked how to use some straightforward function or another. Additionally if a quarter of elderly people are unable to perform basic technological functions, are they not automatically excluded from their right to participate socially and independently?
Further analysis on how the elderly are navigating in our digital world is revealing. An assessment was conducted evaluating the impact of the ‘Keeping Well at Home’ booklets that were delivered to the doors of the over 65s in Greater Manchester during the Coronavirus pandemic. The physical booklets informed people of ways to stay physically and mentally well and the response was overwhelmingly positive. 92% of respondents found the information helpful and 50% of those who had a booklet delivered did not have access to the internet and would have otherwise struggled to find this information. Conclusions drawn from the evaluation found that ‘print-based communications are preferred over digital’ for older groups and the ‘digital by default’ approach is exclusionary for the elderly. If a breach of this right can be proven, the EU should set up initiatives to drive public bodies and private companies to make their services more accessible, like implementing letters and handwritten cheques instead of emails and online bank transfers.
So, how does the European Union expect the elderly to live a life of ‘dignity and independence’? Many of this elderly demographic have a compromised ability to use the internet - despite a large majority of every-day tasks such as booking appointments is done online. It is infeasible to expect the elderly to adequately consent for data collections on websites and other platforms.
Whilst it is not as common for younger groups to be unable to participate in technology and the internet, it is not a generational trend for people to feel insecure in their privacy protection. Article 8 of the Charter of Fundamental Rights governs the protection of personal data and ensures that it is ‘processed fairly’ and for ‘legitimate basis laid down by law’. With regards to processing data fairly should that not include mandatory information on why that data is being collected in the first place and how it will be subsequently handled? In the Special Eurobarometer survey on the GDPR, only 22% of respondents who use the internet said they always feel informed about the terms and conditions under which the personal data they provide online is collected and used. If only these respondents feel adequately informed every time their data is collected and used, it means roughly 80% will not necessarily be feeling secure in the way their data is processed.
As the request for consent must be presented in “an intelligible and easily accessible form, using clear and plain language” there are conflicts as to whether these goals are being met in reality. In what is named as ‘privacy self-management’, Solove, an international expert privacy, discusses how self-management in privacy (also known as a ‘bundle of rights’ people are given in an attempt to control how their data is collected, stored and disclosed) is undermined by the structural features pertinent to websites rendering them virtually impossible to manage one’s data collections. ‘The Problem of Scale’ is the term coined to describe this dilemma: individuals simply do not have enough time to read through pages of company privacy policy despite companies best efforts to ensure their policies are accessible for everyone. This considered, it does make one begin to question whether Article 8’s aspirations for consent in data collection is a feasible reality.
As discussed, when assessing human rights, it is difficult to argue that companies and public authorities are doing everything within their power to ensure that data collections on websites are clearly formatted. Solove reiterates that ‘the law aims to give people control over their data’ however these ideals are tampered with by the fact that many people cannot give consent in a ‘meaningful’ way. Where these principles are largely championed by the GDPR, the guidance fails to consider whether the process in which personal data is collected is fair, especially when people have become accustomed to giving their data away freely. I believe, if Solove’s findings are taken into account, many authorities and private firms would not be able to justify that their collection of data is just because of the problem of scale that Solove discusses. Additionally Dembrow comments that ‘users should be given the opportunity to consent to, block, or disable cookies.’ No matter how simple and clear the terms and conditions are on a website, they are often too lengthy for many consumers to digest, ultimately removing the individual’s agency in data protection.
This leaves EU lawmakers and online regulators in a difficult position— do they allow for potential exploitation of their citizens to occur, or do they approach it in a radically different way; a paternalistic one, as Solove touches upon? One of the dangers of paternalism in data protection is that people would face a lack of choice if data collection was streamlined across all services. For instance, there are individuals that want their data to be collected by companies so they can benefit from targeted marketing. I believe there is an argument to be made about the increase in data collection and thus an erosion in privacy protections being a natural by-product of the Internet age, but that is for a different article. In order to use the basic functions of some websites and social media platforms one must allow for their collection of personal data. So, it comes as no surprise that many people- albeit sometimes reluctantly- are willing to compromise on the management of their data in order to use these platforms.
Final Thoughts
Strikingly, while the GDPR has accomplished many things in the EU and globally, if there is a system of networks that seem to thrive on collecting personal data- with the majority not thoroughly understanding the implications of what they are consenting to- the GDPR has ultimately failed EU citizens. Moreover, the GDPR had an opportunity to cater for the elderly generation, by holding companies to account for either not providing no-internet options or very clear data processing consent pages, and has failed. Even without the added protection that Articles 8 and 25 offer, the GDPR simply has not done enough for consumer transparency in data collections, regardless of age and ability. That is not to undermine the GDPR’s success in overall data collection transparency; but I cannot argue that the GDPR has been truly successful if the large majority do not thoroughly understand nor trust the implications of how their data is being processed by large corporations.
References:
[1] Paul M. Schwartz, 'Global Data Privacy: The EU Way' (2019) 94 NYU L Rev 771 - 818, 771.
[2] Lord N, Groot JD and Lord N, ‘What Is the Data Protection Directive? The Predecessor to the GDPR’ (Digital Guardian, 28 December 2022). <https://www.digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr> accessed 7 November 2023.
[3] European Commission, ‘Data Protection in the EU’ (European Commission, 2022). <<https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en>>; accessed 19 November 2023.
[4] Consolidated Version of Charter of Fundamental Rights of the European Union [2009] OJ C 326 391
[5] Voss G, ‘European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting’ (2016) 72 The Business Lawyer, 221.
[6] Brett Dembrow, 'Investing in Human Futures: How Big Tech and Social Media Giants
Abuse Privacy and Manipulate Consumerism' (2022) 30 U Miami Bus L Rev 324.
[7] ibid.
[8] ‘How Concerned Are Europeans about Their Personal Data Online?’ (European Union Agency for Fundamental Rights, 14 December 2020) <https://fra.europa.eu/en/news/2020/how-concerned-are-europeans-about-their-personal-data-online> accessed 7 November 2023.
[9] Regulation (EU) 2016/679 of May 28 2018 the General Data Protection Regulation (‘the GDPR’) [2018] OJ L 127 art 57.
[10] EU Commission, ‘Briefing, EU Policies – Insights, Understanding EU data Protection Policy’ COM (2020)
[11] Statista, ‘Topic: Online Privacy in the UK’ (Statista, January 2023). <https://www.statista.com/topics/7342/online-privacy-in-the-uk/> accessed 7 November 2023.
[12] The Data Protection Act 2018
[13] EUAFR, ‘How Concerned Are Europeans about Their Personal Data Online?’ (European Union Agency for Fundamental Rights, 14 December 2020) <https://fra.europa.eu/en/news/2020/how-concerned-are-europeans-about-their-personal-data-online> accessed 7 November 2023.
[14] ibid.
[15] Regulation (EU) 2016/679 of May 28 2018 the General Data Protection Regulation (‘the GDPR’) [2018] OJ L 127 art 17.
[16] Brett Dembrow, 'Investing in Human Futures: How Big Tech and Social Media Giants
Abuse Privacy and Manipulate Consumerism' (2022) 30 U Miami Bus L Rev 324, 326.
[17] Consolidated Version of Charter of Fundamental Rights of the European Union [2009] OJ C 326/391 art 25
[18] Age UK, ‘Age UK Analysis Reveals That Almost 6 Million People (5,800,000) Aged 65+ Are Either Unable to Use the Internet Safely and Successfully or Aren’t Online at All’ (Age UK, 19 September 2023) <https://www.ageuk.org.uk/latest-press/articles/2023/age-uk-analysis-reveals-that-almost-6-million-people-5800000-aged-65-are-either-unable-to-use-the-internet-safely-and-successfully-or-arent-online-at-all/> accessed 22 November 2023.
[19] Annemarie Money, ‘Oral presentations: Future Facets of Public Health and Health Care’ (2021) 31(3) European Journal of Public Health 26.
[20] ibid.
[21] Consolidated Version of Charter of Fundamental Rights of the European Union [2009] OJ C 326 391
[22] Commission, ‘Briefing, EU policies – insights, Understanding EU Data Protection Policy’ COM (2020)
[23] Daniel J. Solove, 'Introduction: Privacy Self-Management and the Consent Dilemma' (2013) 126 Harv L Rev 1880, 1880.
[24] ibid 1888.
[25] ibid 1888-1889.
[26] Brett Dembrow, 'Investing in Human Futures: How Big Tech and Social Media Giants
Abuse Privacy and Manipulate Consumerism' (2022) 30 U Miami Bus L Rev 324, 326.
[27] Daniel J. Solove, 'Introduction: Privacy Self-Management and the Consent Dilemma' (2013) 126 Harv L Rev 1880, 1893.
[28] ibid 1896
Bibliography
Table of Legislation:
UK Legislation:
The Data Protection Act 2018
EU Legislation:
Consolidated Version of Charter of Fundamental Rights of the European Union [2009] OJ C 326 391
Regulation (EU) 2016/679 of May 28 2018 the General Data Protection Regulation (‘the GDPR’) [2018] OJ L 127
Secondary Sources
Journal Articles:
Dembrow B, 'Investing in Human Futures: How Big Tech and Social Media Giants
Abuse Privacy and Manipulate Consumerism' (2022) 30 U Miami Bus L Rev 324
Money A, ‘Oral presentations: Future facets of public health and health care’ (2021) 31(3) European Journal of Public Health 26.
Paul M. Schwartz, 'Global Data Privacy: The EU Way' (2019) 94 NYU L Rev 771 - 818, 771.
Voss G, ‘European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting’ (2016) 72 The Business Lawyer, 221.
Reports
Age UK, ‘Age UK Analysis Reveals That Almost 6 Million People (5,800,000) Aged 65+ Are Either Unable to Use the Internet Safely and Successfully or Aren’t Online at All’ (Age UK, 19 September 2023) <https://www.ageuk.org.uk/latest-press/articles/2023/age-uk-analysis-reveals-that-almost-6-million-people-5800000-aged-65-are-either-unable-to-use-the-internet-safely-and-successfully-or-arent-online-at-all/> accessed 22 November 2023.
Commission, ‘Briefing, EU policies – insights, Understanding EU data protection policy’ COM (2020)
European Commission, ‘’Data Protection in the EU’ (European Commission, 2022 ) <https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en> accessed 19 November 2023.
European Union,‘How Concerned Are Europeans about Their Personal Data Online?’ (European Union Agency for Fundamental Rights, 14 December 2020) <https://fra.europa.eu/en/news/2020/how-concerned-are-europeans-about-their-personal-data-online> accessed 7 November 2023.
Lord N, Groot JD and Lord N, ‘What Is the Data Protection Directive? The Predecessor to the GDPR’ (Digital Guardian, 28 December 2022) <https://www.digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr> accessed 7 November 2023.
Statista, ‘Topic: Online Privacy in the UK’ (Statista, January 2023). <https://www.statista.com/topics/7342/online-privacy-in-the-uk/> accessed 7 November 2023.
