Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

GDPR: A Step Towards a User-centric Internet?

GDPR: A Step Towards a User-centric Internet? DOI: 10.1007/s10272-017-0676-5 Forum End of previous Forum article Maciej Sobolewski, Joanna Mazur and Michał Paliński Originated as a collaborative research project and de- online activities. Since these origins, this network of signed as a decentralised network of networks, the in- networks has undergone substantial changes, casting ternet was founded on the principles of openness, trans- doubts on whether the fundamental principle of user-cen- parency, non-discrimination and user-centricity. The two tricity is still valid today. Firstly, the rapidly growing role of fundamental elements for user-centricity are freedom the internet as a commercial marketplace has shifted the of choice and ability to exercise control upon one’s own focus to consumption of content and away from end-user service creation. Secondly, the rise and success of busi- ness models based on multi-sided intermediation, utilisa- tion of personal data and monetisation of network effects Maciej Sobolewski, University of Warsaw, Poland; has shifted the balance of control and power away from and European Commission, Seville, Spain. end-users. Incidents of competitive misconduct by domi- nant online platforms or abuse of personal data have led Joanna Mazur, University of Warsaw, Poland. Michał Paliński, University of Warsaw, Poland. 1 Internet Society (ISOC): Preserving the User Centric Internet, Discus- sion Paper, 2009. ZBW – Leibniz Information Centre for Economics 207 Forum to calls to reinforce user control, based on a return to the cording to which data is regarded as a tradable asset and user-centric origins of the internet. is becoming a kind of online currency. This tension repre- sents a challenging dichotomy of the online world. This paper discusses upcoming personal data protection reform in the EU from the user-centricity perspective. According to the defi nitions in the GDPR, “personal data” The new regulation – the General Data Protection Regu- means any information relating to an identifi ed or identi- lation (GDPR) – introduces extensive informative obliga- fi able natural person described as a data subject. The tions on service providers and grants users with rights to functional approach towards defi ning personal data al- data erasure, to object to processing, to the portability of lows for a wide range of identifi ers to be classifi ed as data on request and to object to profi ling. These protec- such, as technology and online behaviour progresses tion measures, as well as new obligations for providers even further. to ask for explicit consent to collect data for all speci- fi ed purposes, greatly enhance the control of end-users Current and future legal framework over the utilisation of their personal data online. While the potential empowering impact of the GDPR is huge, we Currently, the legal ground for privacy protection in the argue that the ambivalent attitudes of users towards data EU is Directive 95/46. Electronic communication, howev- protection, as well as the risk of differentiation of legal er, is subjected to special regulations based on the regu- practice among member states, can seriously limit the latory framework of the ePrivacy Directive. Both docu- real effects of the privacy reform. ments have since been perceived as inadequate for a growing data-driven economy, and therefore the member The right to export on request all personal data collected states agreed upon the necessity of implementing major by the given online provider is the key novel element of reforms regarding the data protection framework. GDPR. Incumbent providers will no longer enjoy advan- tages resulting from the exclusive use of large volumes The GDPR will come into force on 25 May 2018. Even of user-generated data. As a consequence, portability though it will provide a unifi ed framework concerning da- dramatically lowers barriers to entry for innovative ser- ta protection for all the member states, countries would vices and opens the market for business models in which still be able to regulate to some extent the execution of personal data is controlled and leased by the users in- rights and obligations created by the GDPR. stead of being a sort of non-monetary currency paid in exchange for access to nominally free services. We ar- The selection of regulations as a tool for data protec- gue that potential benefi ts from data portability are clear- tion unifi cation in EU member states has some impor- ly underestimated by end-users, and therefore there is tant consequences. Regulations become immediately a need for its empowerment. Of particular importance enforceable in all member states simultaneously. In con- is treating this instrument in an unrestricted and user- trast to directives, regulations do not need to be trans- friendly manner to the broadest possible extent. posed into national law; in fact, this is forbidden. How- ever, it is necessary to implement certain legal acts, for Protection of personal data in the EU – legal example concerning procedural aspects of the regulation perspective or providing catalogues of exemptions, which can result in divergences in terms of the effects of the GDPR. The approach towards privacy represented in EU law is based on the fundamental assumption that the right Unifi ed or diversifi ed legal practice? to privacy and the protection of personal data are ba- sic human rights. Privacy is protected by the Charter of Member states implement regulations for the handling Fundamental Rights, in Articles 7 and 8, as a right of an of privacy cases (in accordance with the procedural au- individual. There is tension between this approach and tonomy of the member states) as well as solutions for the an alternative view that is currently gaining traction, ac- institutional environment. This may lead to a differentia- tion of legal practice. 2 European Parliament: Regulation (EU) 2016/679 of the European Par- liament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Gen- 4 European Parliament, op. cit., p. 2. eral Data Protection Regulation), in: Offi cial Journal of the European 5 Directive 2002/58/EC of the European Parliament and of the Council, Communities, No. L 119, 4 May 2016. 12 July 2002 3 European Union: Charter of Fundamental Rights of the European 6 J. Chen: How the best-laid plans go awry: the (unsolved) issues of Union, in: Offi cial Journal of the European Communities, No. C 365, applicable law in the General Data Protection Regulation, in: Interna- 18 December 2000, pp. 1-22. tional Data Privacy Law, Vol. 6, No. 4, 2016, p. 310. Intereconomics 2017 | 4 208 Forum Firstly, the autonomy of the member states allows for Last but not least, some differences in legal practice implementing national solutions, which can determine which may occur will be due to the innovative character the extent to which the data subject’s rights will be guar- of some of the implemented solutions. Therefore, select- anteed. Even though the GDPR contains the possibil- ed terms such as “automated processing” or “portabil- ity of signifi cant fi nancial sanctions in the case of non- ity” still have not been suffi ciently clarifi ed. compliance by data processors or controllers, the role of national regulations in providing their institutions with Legal concepts of GDPR an appropriate framework to use options created by the GDPR should not be disregarded. The fi nancial and or- The GDPR introduces new institutions and also changes ganisational independence of national institutions re- existing ones. The foundations for the new legal state of sponsible for privacy protection are crucial factors which the art are the explicit concepts of data protection by de- cannot be underestimated. sign and by default. They refer to the necessity of imple- menting data protection tools at the stage of creating the Secondly, the derogations allowed for in the GDPR may system which is used to collect data and in creating rules lead to a differentiation of the scope of protection de- for the users. Assuming minimisation of personal data pending on national regulations. According to the GDPR, collection and use, both concepts provide the basis for such derogations are allowed the EU’s data protection reform and should guarantee an adequate level of protection. where it is in the public interest to do so, in particular processing personal data in the fi eld of employment However, it should be noted that processing anonymised law, social protection law including pensions and for data is understood as complying with the privacy by de- health security, monitoring and alert purposes, the sign and privacy by default rules. This may raise con- prevention or control of communicable diseases and cerns regarding the effi cacy of data protection by design other serious threats to health. as it is defi ned in the GDPR. Well-known cases of data 10 11 breaches – such as AOL in 2006 and Yahoo in 2014 Even though recital 54 of the GDPR introduces limita- – prove anonymisation to be a hardly satisfying data pro- tions concerning the possibility to process this data for tection measure. other purposes by third parties, such as employers or in- surance and banking companies, it is diffi cult to foresee Consent to processing how states will use the possibilities which they are grant- ed by these exemptions. However, the jurisprudence of One of the conditions under which data processing is the Court of Justice of the European Union (CJEU) thus lawful is if the user provides consent. Therefore, it is cru- far proves that terms such as “public interest” should be cial how “lawful consent” will be understood under the interpreted carefully and the implemented solutions al- GDPR. According to the GDPR, consent must be given ways need to be proportionate to the aims they serve. by a statement or a clear affi rmative action. Moreover, consent should cover all processing activities carried out Thirdly, a lack of regulation could also result in national for the same purpose or purposes. In cases in which the divergences. For example, the GDPR does not regulate processing has multiple purposes, consent should be giv- conditions under which profi ling (understood as combin- en for each one. The GDPR directly claims that consent is ing and processing personal data) may be used if a hu- man factor is involved in this process. This means that 8 In this respect, it is worth mentioning the opinions contained in Arti- the existence of mechanisms which allow human inter- cle 29 Data Protection Working Party: Opinion 15/2011 on the defi ni- tion of consent, 01197/11/EN, WP187, 13 July 2011, which may help to vention in the processing leads to a state’s ability to regu- unify the understanding of main concepts. late the processing in its national legal system. The regu- 9 European Parliament, op. cit., p. 48. lation does not introduce strict transparency imperatives 10 The AOL data breach in 2006 led to the possibility of identifying cer- tain individuals even though the data were anonymised. Documents concerning the algorithms which determine the outcome regarding the legal action against AOL and the fi nal settlement can of this profi ling. As the evolution of legal practice will be accessed online at https://www.technologylawdispatch.com/ be bound and partly determined by the development of wp-content/uploads/sites/26/2013/05/fi nal-as-fi led-landwehr-settle- ment-agreement.pdf and https://www.technologylawdispatch.com/ technologies helping either to avoid or achieve compli- wp-content/uploads/sites/26/2013/05/https-ecf-vaed-uscourts-gov- ance with the general rules of European privacy protec- cgi-bin-show_doc-pl-ca.pdf. tion, it can be expected that new issues regarding inter- 11 Another enormous data breach concerning Yahoo users resulted in legal action; see In re Yahoo! Inc. Customer Data Security Breach Liti- net privacy will soon emerge. gation, Case No. 16-MD-02752-LHK, Order Selecting Lead Plaintiffs’ Counsel and Plaintiffs’ Executive Committee. 7 European Parliament, op. cit., p. 10. 12 European Parliament, op. cit., p. 6. ZBW – Leibniz Information Centre for Economics 209 Forum presumed not to be freely given if a contract depends on Right to data portability this consent despite the data collection not being neces- sary to fulfi l the contract. The conditionality of a selected The right to data portability creates a new right for the data user’s rights, which depend on the fact that processing subject. According to Article 20 of the GDPR, was performed with the user’s consent, may also be used to weaken the user’s position as subject of the personal the data subject shall have the right to receive the per- data. After all, one might argue, that “the consent model sonal data concerning him or her, which he or she has operates to undermine privacy and to some extent facili- provided to a controller, in a structured, commonly used tates surveillance”. and machine-readable format and have the right to transmit this data to another controller. Information requirements If the data is subjected to automated processing, the con- The GDPR lists 12 categories of information that should troller is obliged to fulfi l the request of the data subject be provided to the data subject. The data controllers will “without undue delay and in any event within one month be obliged to provide the data subject not only with the of receipt of the request”. The actual meaning of the right identity of the data collector and the relevant data pro- to data portability will depend on the efforts to be made to tection offi cer, but also about the aim of the data collec- gain possession of the data and the willingness of the cus- tion and about the handling and storage of the data. The tomers to use the new opportunities. GDPR requires that information should be provided “in a concise, transparent, intelligible and easily accessible Automated processing including profi ling form, using clear and plain language”. According to Article 4 of the GDPR, profi ling is defi ned Right to erasure and right to object to processing as “any form of automated processing of personal data consisting of the use of personal data to evaluate cer- The GDPR strengthens the user’s rights both to object tain personal aspects relating to a natural person”. The to processing of data (through Article 21) and to demand legal perspective varies according to the aim and result erasure of one’s data (the right to be forgotten). Article 17 of the profi ling. For example, the data subject may ob- of the GDPR contains a catalogue of situations in which ject to processing for direct marketing purposes. Article “the data subject shall have the right to obtain from the 22 guarantees the right “not to be subject to a decision controller the erasure of personal data concerning him or based solely on automated processing, including profi l- her without undue delay”. This clarifi es the conditions ing, which produces legal effects concerning him or her under which it is possible to refer to the right to be forgot- or similarly signifi cantly affects him or her”. Examples ten as defi ned by the CJEU. The grounds for demanding of such situations could be automatic refusal of an online erasure have to fulfi l the conditions set out in the GDPR. credit application or e-recruiting practices without any Even though the catalogue of situations which allow the human intervention. data subject to demand the erasure of data seems to be broad, there are some problems, such as the fact that Economics of online privacy and GDPR third parties might have different arguments regarding the lawfulness of the data processing, which weakens the In 2010 Facebook aroused a controversy by introducing meaning of the right to erasure. new default privacy settings for its 350 million users. Ac- cording to numerous civil liberties campaigners, as well as some consumer protection organisations, the change was 13 An example would be a situation in which one wants to purchase a clearly intended to push the platform’s users to expose service which is performed via the internet and the data processor more personal data online while decreasing their control demands e.g. the user’s home address and consent for sending the advertisements via the post. This type of consent would not be re- garded as freely given, because it not only leads to demand for data which is not necessary for the contract’s performance, but which is also not necessary to perform the contract. See ibid., p. 8. 14 A. Sarat (ed.): A World Without Privacy: What Law Can and Should Do?, Cambridge 2014, Cambridge University Press. 15 Article 12 of the GDPR allows the use of graphic icons to fulfi l the in- formative obligations: “The information to be provided to data sub- jects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible 17 Ibid., p. 45. and clearly legible manner a meaningful overview of the intended pro- 18 Ibid., p. 39. cessing”. See European Parliament, op. cit., p. 39. 19 Ibid., p. 33. 16 Ibid., p. 43. 20 Ibid., p. 46. Intereconomics 2017 | 4 210 Forum Figure 1 The privacy paradox across the EU Concerned about online privacy Have changed online privacy settings 38% 79% 39% 71% 62% 67% 70% 41% 38% 65% 50% 58% 67% 57% 58% 56% 79% 47% 71% 62% 71% 79% 72% 44% 68% 54% 63% 74% 76% 51% 73% 69% 52% 68% 52% 60% 56% 39% 67% 56% 69% 55% 56% 51% 70% 49% 40% 67% 51% 76% 66% 59% 52% 79% 72% 58% 69% 74% 76% 58% Note: Left pane: Concern about not having complete control over the information provided online (among respondents who feel that they do not have complete control over their personal data online). Right pane: Respondents who have tried to change the privacy settings of personal profi le from the de- fault settings on social networks (base: respondents who use online social networks). nleft = 16,244; nright = 15,339. Sour ce: Own elaboration based on data from European Commission: Special Eurobarometer 431. Data Protection, Wave EB83.1, 2015. over this shared information. However, Facebook CEO primarily through the GDPR – a regulation that aims to re- Mark Zuckerberg justifi ed the privacy changes at that time place the outdated Data Protection Directive of 1995, im- by claiming that: plemented at a time when less than one per cent of EU citizens used the internet. People have really gotten comfortable not only sharing more information and different kinds, but more openly Ambivalent attitudes towards online privacy and with more people. That social norm is just some- thing that has evolved over time. The Commission justifi es the new data regulation to a large extent as a means to allay the privacy concerns of private Is privacy in the digital era a thing of the past? The Ex- individuals. But do internet users really care about having ponential growth of online platforms fuelled by the utilisa- control over personal information they share online? Sur- tion of personal data and the development of predictive veys and polls show that online privacy is indeed an im- analytics, which eases the re-identifi cation of anonymous portant concern for EU citizens. According to the results individuals, support this statement. Nevertheless, the of the 2015 Eurobarometer comprehensive survey, more European Commission still plans to extend oversight over than eight out of ten respondents across the EU feel that companies that process the personal data of EU citizens, they do not have complete control over their personal data online. Among them, two-thirds are concerned about that fact (see Figure 1). On the other hand, studies indicate that 21 See K. Bankston: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly, Electronic Frontier Foundation, 9 December individuals tend to reveal their personal data for a low level 2009, available at https://www.eff.org/de/deeplinks/2009/12/face- books-new-privacy-changes-good-bad-and-ugly. The privacy set- ting change gave users the ability to alter settings on items they up- load to the site, such as photographs and videos, but all of their status 24 European Commission: Communication from the Commission to the updates were automatically made public unless specifi ed otherwise. European Parliament and the Council. Exchanging and Protecting 22 B. Johnson: Privacy no longer a social norm, says Facebook found- Personal Data in a Globalised World, COM/2017/0007, Brussels 2017. er, The Guardian, 11 January 2010. 25 Ibid. The document also contains other arguments pertaining to the 23 See K. Crawfor d, J. Schultz: Big data and due process: Toward benefi ts for businesses stemming from harmonisation of the legisla- a framework to redress predictive privacy harms, in: Boston College tion of 28 member states. Law Review, Vol. 55, No. 1, 2014, pp. 93-128, and A. Dix et al.: EU 26 This includes e.g. the opportunity to correct, change or delete per- Data Protection Reform: Opportunities and Concerns, in: Intereco- sonal data. See European Commission: Special Eurobarometer 431. nomics, Vol. 48, No. 5, 2013, pp. 268-285. Data Protection, Wave EB83.1, 2015. ZBW – Leibniz Information Centre for Economics 211 Forum of remuneration. Moreover, notwithstanding the stated users are vulnerable to underestimation of future risks re- concern and reluctance to share personal data online, Eu- lated to personal data disclosure but that they overestimate ropeans often do not take basic actions to prevent unwill- current benefi ts from its disclosure. Behavioural economics ing disclosure, for example by changing the privacy set- argues that since privacy concerns are often expressed ge- tings on social networks (see Figure 1). Such inconsistency nerically, they may not correspond directly with the user’s between declared concerns and actual behaviour marks actual behaviour. the ambivalence in attitudes towards privacy. This “pri- vacy paradox” is a well-established concept in the social Valuation of GDPR – empirical evidence sciences and has gained a lot of attention from empirical researchers in recent years. The data in Figure 1 indicates The economic analysis of privacy starts with the observa- the existence of a privacy paradox in the EU, particularly in tion that personal data has been commodifi ed into a trade- central and southern member states. able asset. Implementation of enhanced privacy control mechanisms will help to create a supply side of data mar- In recent years, numerous studies have tried to explain the kets, generating positive welfare effects for users. Accord- privacy paradox, providing logical explanations of the dis- ing to a recent empirical study undertaken on a sample of crepancy between declared concerns and behaviour relat- digital natives in Poland, this is indeed the case. The gross ed to the management of personal data. The most promi- consumer surplus implied by a combination of extended nent from an economic perspective are based on privacy measures planned in the GDPR equals €6.50 per capita per calculus theory and behavioural privacy economics. Both month – roughly 50% of the monthly broadband subscrip- approaches make contrary assumptions regarding the us- tion fee. Out of the tools provided by the new regulation, the ers’ rationality. The former is founded on the premise that one that individuals valued most highly was the right to be agents make rational decisions. The level of online privacy forgotten (€1.40 per month). protection is thus a solution to the trade-off between the expected risks and potential benefi ts of disclosure of per- The next most highly valued tools were the extended scope sonal data. The voluntary disclosure of personal data by of information obligations for providers and the right to people who claim to be concerned about their privacy is object to profi ling (each worth €1.00 per month). Interest- justifi ed by the fact that gains from revealing personal data ingly, consumers do not acknowledge data portability as a are often intangible, such as peers’ attention or social capi- valuable instrument, despite the fact that it plays a key role tal. When these intangible rewards are taken into account, in GDPR reform as a potential game changer for the end- they might outweigh the perceived risks and explain the user-oriented data markets. The increase in the consumer seemingly paradoxical situations. surplus driven by the GDPR refl ects the value of breaking the asymmetry of information and reducing the three major The behavioural economics approach is based on the claim sources of user uncertainty: What data is used online? By that users’ decisions are to a large extent affected by heu- whom? And for which purposes? ristics and cognitive biases such as optimism and affection bias, overconfi dence, fuzzy-boundary, benefi t heuristics or Conclusions hyperbolic discounting. Studies in this fi eld suggest that GDPR reform undoubtedly increases users’ abilities to 27 See: Table X-B A. in A. Acquisti, C. Taylor, L. W agman: The Eco- control their personal data online. Concepts such as priva- nomics of Privacy, in: Journal of Economic Literature, Vol. 54, No. 2, cy by design and privacy by default should lead to the more 2016, pp. 442-492. effective implementation of data protection tools. Informa- 28 H. Holland: Privacy Paradox 2.0, in: Widener Law Journal, Vol. 19, 2009, pp. 1-21. tion obligations on data controllers and processors could 29 In S. Kokolakis: Privacy Attitudes and Privacy Behaviour, in: Com- also raise end-users’ awareness of to what extent and for puters & Security, Vol. 64, January 2017, pp. 122-134, 18 studies are which purposes their data is being processed. The right surveyed providing evidence supporting the privacy paradox hypoth- esis and 11 challenging it. to be forgotten and the right to object to processing could 30 T. Dinev, P. Hart: Internet Privacy Concerns and Social Awareness play a vital role in allowing users to control the spread of as Determinants of Intention to Transact, in: International Journal of their data on the internet. Therefore, taken as such, GDPR Electronic Commerce, Vol. 10, No. 2, 2006, pp. 7-29. 31 H. Lee, H. Park, J. Kim: Why do people share their context informa- is surely a step towards a user-centric internet. There are, tion on Social Network Services? A qualitative study and an experi- mental study on users’ behavior of balancing perceived benefi t and risk, in: International Journal of Human-Computer Studies, Vol. 71, 33 A. Acquisti, C. Taylor, L. W agman, op. cit. No. 9, 2013, pp. 862-877. 34 S. Pr eibusch: The Value of Web Search Privacy, in: IEEE Security 32 J. Gr ossklags, S. Hall, A. Acquisti: When 25 Cents is too much: and Privacy, Vol. 13, No. 5, 2015, pp. 24-32. An Experiment on Willingness-To-Sell and Willingness-To-Protect 35 M. Sobolewski, M. Palinski: How much do consumers value on- Personal Information, in: Workshop on the Economics of Information line privacy? Welfare assessment of new data protection regulation Security (WEIS), 2007, pp. 7-8. (GDPR), WNE Working Paper No. 17/2017 (245), forthcoming. Intereconomics 2017 | 4 212 Forum however, some risks and impediments ahead, and it is hard from a policy perspective, this mechanism is of great im- to foresee how big this step will actually be. portance as a potential game changer which could shift the control over personal data from service providers to First, there are still some reasons to suspect that legal end-users and lower barriers to entry for innovative ser- practice will not lead to the absolute unifi cation of data vices. The failure of end-users to acknowledge the im- protection levels in the member states. The exemptions al- portance of data portability is an early warning sign with lowed in the GDPR, the procedural autonomy of the mem- regards to the effective implementation of the GDPR. ber states and the fact that some of the newly implemented Hence, keeping this instrument unrestricted and user- solutions will eventually be shaped by the CJEU will infl u- friendly to the broadest possible extent is of particular ence the everyday practice of data protection in the EU. importance. Second, it is hard to tell today whether data portability will become an important instrument that encourages users 36 A good example of such services are privacy management platforms, such as Hub-of-All-Things (HAT) or Cambridge Blockchain. They en- to move their data between different service providers. able users to manage personal data from multiple accounts and ser- Currently, users seem to underestimate its role. However, vices by storing it in a virtual container. ZBW – Leibniz Information Centre for Economics http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Intereconomics Springer Journals

GDPR: A Step Towards a User-centric Internet?

Download PDF
7 pages

Loading next page...
 
/lp/springer_journal/gdpr-a-step-towards-a-user-centric-internet-FjcUy09RBR

References (4)

Publisher
Springer Journals
Copyright
Copyright © 2017 by ZBW and Springer-Verlag GmbH Germany
Subject
Economics; Economic Policy; European Integration; Social Policy; Labor Economics
ISSN
0020-5346
eISSN
1613-964X
DOI
10.1007/s10272-017-0676-5
Publisher site
See Article on Publisher Site

Abstract

DOI: 10.1007/s10272-017-0676-5 Forum End of previous Forum article Maciej Sobolewski, Joanna Mazur and Michał Paliński Originated as a collaborative research project and de- online activities. Since these origins, this network of signed as a decentralised network of networks, the in- networks has undergone substantial changes, casting ternet was founded on the principles of openness, trans- doubts on whether the fundamental principle of user-cen- parency, non-discrimination and user-centricity. The two tricity is still valid today. Firstly, the rapidly growing role of fundamental elements for user-centricity are freedom the internet as a commercial marketplace has shifted the of choice and ability to exercise control upon one’s own focus to consumption of content and away from end-user service creation. Secondly, the rise and success of busi- ness models based on multi-sided intermediation, utilisa- tion of personal data and monetisation of network effects Maciej Sobolewski, University of Warsaw, Poland; has shifted the balance of control and power away from and European Commission, Seville, Spain. end-users. Incidents of competitive misconduct by domi- nant online platforms or abuse of personal data have led Joanna Mazur, University of Warsaw, Poland. Michał Paliński, University of Warsaw, Poland. 1 Internet Society (ISOC): Preserving the User Centric Internet, Discus- sion Paper, 2009. ZBW – Leibniz Information Centre for Economics 207 Forum to calls to reinforce user control, based on a return to the cording to which data is regarded as a tradable asset and user-centric origins of the internet. is becoming a kind of online currency. This tension repre- sents a challenging dichotomy of the online world. This paper discusses upcoming personal data protection reform in the EU from the user-centricity perspective. According to the defi nitions in the GDPR, “personal data” The new regulation – the General Data Protection Regu- means any information relating to an identifi ed or identi- lation (GDPR) – introduces extensive informative obliga- fi able natural person described as a data subject. The tions on service providers and grants users with rights to functional approach towards defi ning personal data al- data erasure, to object to processing, to the portability of lows for a wide range of identifi ers to be classifi ed as data on request and to object to profi ling. These protec- such, as technology and online behaviour progresses tion measures, as well as new obligations for providers even further. to ask for explicit consent to collect data for all speci- fi ed purposes, greatly enhance the control of end-users Current and future legal framework over the utilisation of their personal data online. While the potential empowering impact of the GDPR is huge, we Currently, the legal ground for privacy protection in the argue that the ambivalent attitudes of users towards data EU is Directive 95/46. Electronic communication, howev- protection, as well as the risk of differentiation of legal er, is subjected to special regulations based on the regu- practice among member states, can seriously limit the latory framework of the ePrivacy Directive. Both docu- real effects of the privacy reform. ments have since been perceived as inadequate for a growing data-driven economy, and therefore the member The right to export on request all personal data collected states agreed upon the necessity of implementing major by the given online provider is the key novel element of reforms regarding the data protection framework. GDPR. Incumbent providers will no longer enjoy advan- tages resulting from the exclusive use of large volumes The GDPR will come into force on 25 May 2018. Even of user-generated data. As a consequence, portability though it will provide a unifi ed framework concerning da- dramatically lowers barriers to entry for innovative ser- ta protection for all the member states, countries would vices and opens the market for business models in which still be able to regulate to some extent the execution of personal data is controlled and leased by the users in- rights and obligations created by the GDPR. stead of being a sort of non-monetary currency paid in exchange for access to nominally free services. We ar- The selection of regulations as a tool for data protec- gue that potential benefi ts from data portability are clear- tion unifi cation in EU member states has some impor- ly underestimated by end-users, and therefore there is tant consequences. Regulations become immediately a need for its empowerment. Of particular importance enforceable in all member states simultaneously. In con- is treating this instrument in an unrestricted and user- trast to directives, regulations do not need to be trans- friendly manner to the broadest possible extent. posed into national law; in fact, this is forbidden. How- ever, it is necessary to implement certain legal acts, for Protection of personal data in the EU – legal example concerning procedural aspects of the regulation perspective or providing catalogues of exemptions, which can result in divergences in terms of the effects of the GDPR. The approach towards privacy represented in EU law is based on the fundamental assumption that the right Unifi ed or diversifi ed legal practice? to privacy and the protection of personal data are ba- sic human rights. Privacy is protected by the Charter of Member states implement regulations for the handling Fundamental Rights, in Articles 7 and 8, as a right of an of privacy cases (in accordance with the procedural au- individual. There is tension between this approach and tonomy of the member states) as well as solutions for the an alternative view that is currently gaining traction, ac- institutional environment. This may lead to a differentia- tion of legal practice. 2 European Parliament: Regulation (EU) 2016/679 of the European Par- liament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Gen- 4 European Parliament, op. cit., p. 2. eral Data Protection Regulation), in: Offi cial Journal of the European 5 Directive 2002/58/EC of the European Parliament and of the Council, Communities, No. L 119, 4 May 2016. 12 July 2002 3 European Union: Charter of Fundamental Rights of the European 6 J. Chen: How the best-laid plans go awry: the (unsolved) issues of Union, in: Offi cial Journal of the European Communities, No. C 365, applicable law in the General Data Protection Regulation, in: Interna- 18 December 2000, pp. 1-22. tional Data Privacy Law, Vol. 6, No. 4, 2016, p. 310. Intereconomics 2017 | 4 208 Forum Firstly, the autonomy of the member states allows for Last but not least, some differences in legal practice implementing national solutions, which can determine which may occur will be due to the innovative character the extent to which the data subject’s rights will be guar- of some of the implemented solutions. Therefore, select- anteed. Even though the GDPR contains the possibil- ed terms such as “automated processing” or “portabil- ity of signifi cant fi nancial sanctions in the case of non- ity” still have not been suffi ciently clarifi ed. compliance by data processors or controllers, the role of national regulations in providing their institutions with Legal concepts of GDPR an appropriate framework to use options created by the GDPR should not be disregarded. The fi nancial and or- The GDPR introduces new institutions and also changes ganisational independence of national institutions re- existing ones. The foundations for the new legal state of sponsible for privacy protection are crucial factors which the art are the explicit concepts of data protection by de- cannot be underestimated. sign and by default. They refer to the necessity of imple- menting data protection tools at the stage of creating the Secondly, the derogations allowed for in the GDPR may system which is used to collect data and in creating rules lead to a differentiation of the scope of protection de- for the users. Assuming minimisation of personal data pending on national regulations. According to the GDPR, collection and use, both concepts provide the basis for such derogations are allowed the EU’s data protection reform and should guarantee an adequate level of protection. where it is in the public interest to do so, in particular processing personal data in the fi eld of employment However, it should be noted that processing anonymised law, social protection law including pensions and for data is understood as complying with the privacy by de- health security, monitoring and alert purposes, the sign and privacy by default rules. This may raise con- prevention or control of communicable diseases and cerns regarding the effi cacy of data protection by design other serious threats to health. as it is defi ned in the GDPR. Well-known cases of data 10 11 breaches – such as AOL in 2006 and Yahoo in 2014 Even though recital 54 of the GDPR introduces limita- – prove anonymisation to be a hardly satisfying data pro- tions concerning the possibility to process this data for tection measure. other purposes by third parties, such as employers or in- surance and banking companies, it is diffi cult to foresee Consent to processing how states will use the possibilities which they are grant- ed by these exemptions. However, the jurisprudence of One of the conditions under which data processing is the Court of Justice of the European Union (CJEU) thus lawful is if the user provides consent. Therefore, it is cru- far proves that terms such as “public interest” should be cial how “lawful consent” will be understood under the interpreted carefully and the implemented solutions al- GDPR. According to the GDPR, consent must be given ways need to be proportionate to the aims they serve. by a statement or a clear affi rmative action. Moreover, consent should cover all processing activities carried out Thirdly, a lack of regulation could also result in national for the same purpose or purposes. In cases in which the divergences. For example, the GDPR does not regulate processing has multiple purposes, consent should be giv- conditions under which profi ling (understood as combin- en for each one. The GDPR directly claims that consent is ing and processing personal data) may be used if a hu- man factor is involved in this process. This means that 8 In this respect, it is worth mentioning the opinions contained in Arti- the existence of mechanisms which allow human inter- cle 29 Data Protection Working Party: Opinion 15/2011 on the defi ni- tion of consent, 01197/11/EN, WP187, 13 July 2011, which may help to vention in the processing leads to a state’s ability to regu- unify the understanding of main concepts. late the processing in its national legal system. The regu- 9 European Parliament, op. cit., p. 48. lation does not introduce strict transparency imperatives 10 The AOL data breach in 2006 led to the possibility of identifying cer- tain individuals even though the data were anonymised. Documents concerning the algorithms which determine the outcome regarding the legal action against AOL and the fi nal settlement can of this profi ling. As the evolution of legal practice will be accessed online at https://www.technologylawdispatch.com/ be bound and partly determined by the development of wp-content/uploads/sites/26/2013/05/fi nal-as-fi led-landwehr-settle- ment-agreement.pdf and https://www.technologylawdispatch.com/ technologies helping either to avoid or achieve compli- wp-content/uploads/sites/26/2013/05/https-ecf-vaed-uscourts-gov- ance with the general rules of European privacy protec- cgi-bin-show_doc-pl-ca.pdf. tion, it can be expected that new issues regarding inter- 11 Another enormous data breach concerning Yahoo users resulted in legal action; see In re Yahoo! Inc. Customer Data Security Breach Liti- net privacy will soon emerge. gation, Case No. 16-MD-02752-LHK, Order Selecting Lead Plaintiffs’ Counsel and Plaintiffs’ Executive Committee. 7 European Parliament, op. cit., p. 10. 12 European Parliament, op. cit., p. 6. ZBW – Leibniz Information Centre for Economics 209 Forum presumed not to be freely given if a contract depends on Right to data portability this consent despite the data collection not being neces- sary to fulfi l the contract. The conditionality of a selected The right to data portability creates a new right for the data user’s rights, which depend on the fact that processing subject. According to Article 20 of the GDPR, was performed with the user’s consent, may also be used to weaken the user’s position as subject of the personal the data subject shall have the right to receive the per- data. After all, one might argue, that “the consent model sonal data concerning him or her, which he or she has operates to undermine privacy and to some extent facili- provided to a controller, in a structured, commonly used tates surveillance”. and machine-readable format and have the right to transmit this data to another controller. Information requirements If the data is subjected to automated processing, the con- The GDPR lists 12 categories of information that should troller is obliged to fulfi l the request of the data subject be provided to the data subject. The data controllers will “without undue delay and in any event within one month be obliged to provide the data subject not only with the of receipt of the request”. The actual meaning of the right identity of the data collector and the relevant data pro- to data portability will depend on the efforts to be made to tection offi cer, but also about the aim of the data collec- gain possession of the data and the willingness of the cus- tion and about the handling and storage of the data. The tomers to use the new opportunities. GDPR requires that information should be provided “in a concise, transparent, intelligible and easily accessible Automated processing including profi ling form, using clear and plain language”. According to Article 4 of the GDPR, profi ling is defi ned Right to erasure and right to object to processing as “any form of automated processing of personal data consisting of the use of personal data to evaluate cer- The GDPR strengthens the user’s rights both to object tain personal aspects relating to a natural person”. The to processing of data (through Article 21) and to demand legal perspective varies according to the aim and result erasure of one’s data (the right to be forgotten). Article 17 of the profi ling. For example, the data subject may ob- of the GDPR contains a catalogue of situations in which ject to processing for direct marketing purposes. Article “the data subject shall have the right to obtain from the 22 guarantees the right “not to be subject to a decision controller the erasure of personal data concerning him or based solely on automated processing, including profi l- her without undue delay”. This clarifi es the conditions ing, which produces legal effects concerning him or her under which it is possible to refer to the right to be forgot- or similarly signifi cantly affects him or her”. Examples ten as defi ned by the CJEU. The grounds for demanding of such situations could be automatic refusal of an online erasure have to fulfi l the conditions set out in the GDPR. credit application or e-recruiting practices without any Even though the catalogue of situations which allow the human intervention. data subject to demand the erasure of data seems to be broad, there are some problems, such as the fact that Economics of online privacy and GDPR third parties might have different arguments regarding the lawfulness of the data processing, which weakens the In 2010 Facebook aroused a controversy by introducing meaning of the right to erasure. new default privacy settings for its 350 million users. Ac- cording to numerous civil liberties campaigners, as well as some consumer protection organisations, the change was 13 An example would be a situation in which one wants to purchase a clearly intended to push the platform’s users to expose service which is performed via the internet and the data processor more personal data online while decreasing their control demands e.g. the user’s home address and consent for sending the advertisements via the post. This type of consent would not be re- garded as freely given, because it not only leads to demand for data which is not necessary for the contract’s performance, but which is also not necessary to perform the contract. See ibid., p. 8. 14 A. Sarat (ed.): A World Without Privacy: What Law Can and Should Do?, Cambridge 2014, Cambridge University Press. 15 Article 12 of the GDPR allows the use of graphic icons to fulfi l the in- formative obligations: “The information to be provided to data sub- jects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible 17 Ibid., p. 45. and clearly legible manner a meaningful overview of the intended pro- 18 Ibid., p. 39. cessing”. See European Parliament, op. cit., p. 39. 19 Ibid., p. 33. 16 Ibid., p. 43. 20 Ibid., p. 46. Intereconomics 2017 | 4 210 Forum Figure 1 The privacy paradox across the EU Concerned about online privacy Have changed online privacy settings 38% 79% 39% 71% 62% 67% 70% 41% 38% 65% 50% 58% 67% 57% 58% 56% 79% 47% 71% 62% 71% 79% 72% 44% 68% 54% 63% 74% 76% 51% 73% 69% 52% 68% 52% 60% 56% 39% 67% 56% 69% 55% 56% 51% 70% 49% 40% 67% 51% 76% 66% 59% 52% 79% 72% 58% 69% 74% 76% 58% Note: Left pane: Concern about not having complete control over the information provided online (among respondents who feel that they do not have complete control over their personal data online). Right pane: Respondents who have tried to change the privacy settings of personal profi le from the de- fault settings on social networks (base: respondents who use online social networks). nleft = 16,244; nright = 15,339. Sour ce: Own elaboration based on data from European Commission: Special Eurobarometer 431. Data Protection, Wave EB83.1, 2015. over this shared information. However, Facebook CEO primarily through the GDPR – a regulation that aims to re- Mark Zuckerberg justifi ed the privacy changes at that time place the outdated Data Protection Directive of 1995, im- by claiming that: plemented at a time when less than one per cent of EU citizens used the internet. People have really gotten comfortable not only sharing more information and different kinds, but more openly Ambivalent attitudes towards online privacy and with more people. That social norm is just some- thing that has evolved over time. The Commission justifi es the new data regulation to a large extent as a means to allay the privacy concerns of private Is privacy in the digital era a thing of the past? The Ex- individuals. But do internet users really care about having ponential growth of online platforms fuelled by the utilisa- control over personal information they share online? Sur- tion of personal data and the development of predictive veys and polls show that online privacy is indeed an im- analytics, which eases the re-identifi cation of anonymous portant concern for EU citizens. According to the results individuals, support this statement. Nevertheless, the of the 2015 Eurobarometer comprehensive survey, more European Commission still plans to extend oversight over than eight out of ten respondents across the EU feel that companies that process the personal data of EU citizens, they do not have complete control over their personal data online. Among them, two-thirds are concerned about that fact (see Figure 1). On the other hand, studies indicate that 21 See K. Bankston: Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly, Electronic Frontier Foundation, 9 December individuals tend to reveal their personal data for a low level 2009, available at https://www.eff.org/de/deeplinks/2009/12/face- books-new-privacy-changes-good-bad-and-ugly. The privacy set- ting change gave users the ability to alter settings on items they up- load to the site, such as photographs and videos, but all of their status 24 European Commission: Communication from the Commission to the updates were automatically made public unless specifi ed otherwise. European Parliament and the Council. Exchanging and Protecting 22 B. Johnson: Privacy no longer a social norm, says Facebook found- Personal Data in a Globalised World, COM/2017/0007, Brussels 2017. er, The Guardian, 11 January 2010. 25 Ibid. The document also contains other arguments pertaining to the 23 See K. Crawfor d, J. Schultz: Big data and due process: Toward benefi ts for businesses stemming from harmonisation of the legisla- a framework to redress predictive privacy harms, in: Boston College tion of 28 member states. Law Review, Vol. 55, No. 1, 2014, pp. 93-128, and A. Dix et al.: EU 26 This includes e.g. the opportunity to correct, change or delete per- Data Protection Reform: Opportunities and Concerns, in: Intereco- sonal data. See European Commission: Special Eurobarometer 431. nomics, Vol. 48, No. 5, 2013, pp. 268-285. Data Protection, Wave EB83.1, 2015. ZBW – Leibniz Information Centre for Economics 211 Forum of remuneration. Moreover, notwithstanding the stated users are vulnerable to underestimation of future risks re- concern and reluctance to share personal data online, Eu- lated to personal data disclosure but that they overestimate ropeans often do not take basic actions to prevent unwill- current benefi ts from its disclosure. Behavioural economics ing disclosure, for example by changing the privacy set- argues that since privacy concerns are often expressed ge- tings on social networks (see Figure 1). Such inconsistency nerically, they may not correspond directly with the user’s between declared concerns and actual behaviour marks actual behaviour. the ambivalence in attitudes towards privacy. This “pri- vacy paradox” is a well-established concept in the social Valuation of GDPR – empirical evidence sciences and has gained a lot of attention from empirical researchers in recent years. The data in Figure 1 indicates The economic analysis of privacy starts with the observa- the existence of a privacy paradox in the EU, particularly in tion that personal data has been commodifi ed into a trade- central and southern member states. able asset. Implementation of enhanced privacy control mechanisms will help to create a supply side of data mar- In recent years, numerous studies have tried to explain the kets, generating positive welfare effects for users. Accord- privacy paradox, providing logical explanations of the dis- ing to a recent empirical study undertaken on a sample of crepancy between declared concerns and behaviour relat- digital natives in Poland, this is indeed the case. The gross ed to the management of personal data. The most promi- consumer surplus implied by a combination of extended nent from an economic perspective are based on privacy measures planned in the GDPR equals €6.50 per capita per calculus theory and behavioural privacy economics. Both month – roughly 50% of the monthly broadband subscrip- approaches make contrary assumptions regarding the us- tion fee. Out of the tools provided by the new regulation, the ers’ rationality. The former is founded on the premise that one that individuals valued most highly was the right to be agents make rational decisions. The level of online privacy forgotten (€1.40 per month). protection is thus a solution to the trade-off between the expected risks and potential benefi ts of disclosure of per- The next most highly valued tools were the extended scope sonal data. The voluntary disclosure of personal data by of information obligations for providers and the right to people who claim to be concerned about their privacy is object to profi ling (each worth €1.00 per month). Interest- justifi ed by the fact that gains from revealing personal data ingly, consumers do not acknowledge data portability as a are often intangible, such as peers’ attention or social capi- valuable instrument, despite the fact that it plays a key role tal. When these intangible rewards are taken into account, in GDPR reform as a potential game changer for the end- they might outweigh the perceived risks and explain the user-oriented data markets. The increase in the consumer seemingly paradoxical situations. surplus driven by the GDPR refl ects the value of breaking the asymmetry of information and reducing the three major The behavioural economics approach is based on the claim sources of user uncertainty: What data is used online? By that users’ decisions are to a large extent affected by heu- whom? And for which purposes? ristics and cognitive biases such as optimism and affection bias, overconfi dence, fuzzy-boundary, benefi t heuristics or Conclusions hyperbolic discounting. Studies in this fi eld suggest that GDPR reform undoubtedly increases users’ abilities to 27 See: Table X-B A. in A. Acquisti, C. Taylor, L. W agman: The Eco- control their personal data online. Concepts such as priva- nomics of Privacy, in: Journal of Economic Literature, Vol. 54, No. 2, cy by design and privacy by default should lead to the more 2016, pp. 442-492. effective implementation of data protection tools. Informa- 28 H. Holland: Privacy Paradox 2.0, in: Widener Law Journal, Vol. 19, 2009, pp. 1-21. tion obligations on data controllers and processors could 29 In S. Kokolakis: Privacy Attitudes and Privacy Behaviour, in: Com- also raise end-users’ awareness of to what extent and for puters & Security, Vol. 64, January 2017, pp. 122-134, 18 studies are which purposes their data is being processed. The right surveyed providing evidence supporting the privacy paradox hypoth- esis and 11 challenging it. to be forgotten and the right to object to processing could 30 T. Dinev, P. Hart: Internet Privacy Concerns and Social Awareness play a vital role in allowing users to control the spread of as Determinants of Intention to Transact, in: International Journal of their data on the internet. Therefore, taken as such, GDPR Electronic Commerce, Vol. 10, No. 2, 2006, pp. 7-29. 31 H. Lee, H. Park, J. Kim: Why do people share their context informa- is surely a step towards a user-centric internet. There are, tion on Social Network Services? A qualitative study and an experi- mental study on users’ behavior of balancing perceived benefi t and risk, in: International Journal of Human-Computer Studies, Vol. 71, 33 A. Acquisti, C. Taylor, L. W agman, op. cit. No. 9, 2013, pp. 862-877. 34 S. Pr eibusch: The Value of Web Search Privacy, in: IEEE Security 32 J. Gr ossklags, S. Hall, A. Acquisti: When 25 Cents is too much: and Privacy, Vol. 13, No. 5, 2015, pp. 24-32. An Experiment on Willingness-To-Sell and Willingness-To-Protect 35 M. Sobolewski, M. Palinski: How much do consumers value on- Personal Information, in: Workshop on the Economics of Information line privacy? Welfare assessment of new data protection regulation Security (WEIS), 2007, pp. 7-8. (GDPR), WNE Working Paper No. 17/2017 (245), forthcoming. Intereconomics 2017 | 4 212 Forum however, some risks and impediments ahead, and it is hard from a policy perspective, this mechanism is of great im- to foresee how big this step will actually be. portance as a potential game changer which could shift the control over personal data from service providers to First, there are still some reasons to suspect that legal end-users and lower barriers to entry for innovative ser- practice will not lead to the absolute unifi cation of data vices. The failure of end-users to acknowledge the im- protection levels in the member states. The exemptions al- portance of data portability is an early warning sign with lowed in the GDPR, the procedural autonomy of the mem- regards to the effective implementation of the GDPR. ber states and the fact that some of the newly implemented Hence, keeping this instrument unrestricted and user- solutions will eventually be shaped by the CJEU will infl u- friendly to the broadest possible extent is of particular ence the everyday practice of data protection in the EU. importance. Second, it is hard to tell today whether data portability will become an important instrument that encourages users 36 A good example of such services are privacy management platforms, such as Hub-of-All-Things (HAT) or Cambridge Blockchain. They en- to move their data between different service providers. able users to manage personal data from multiple accounts and ser- Currently, users seem to underestimate its role. However, vices by storing it in a virtual container. ZBW – Leibniz Information Centre for Economics

Journal

IntereconomicsSpringer Journals

Published: Aug 10, 2017

There are no references for this article.