The EU’s General Data Protection Regulation is an attempt to shift the paradigm and revise the ‘social contract’ of private companies and individuals defined as ‘privacy in exchange for comfort and free services.’ Today, there is a chance that present Council of Europe standards, applicable to states, will become living norms for digital businesses, at least in Europe.
The GDPR entered into force on May 25. It looks revolutionary especially in those parts that oblige companies to provide individuals with understandable and real opportunities to protect their personal information. The key concept is that consumer information remains consumer information, even if it is on somebody else’s server, so only users can determine to what extent and how it will be used.
The Right to Privacy
The debate on privacy began in the late nineteenth century. In 1890, American philosophers Samuel Warren and Louis Brandeis focused on the right to be left alone1Warren S., Brandeis L. The Right to Privacy // Harvard Law Review. 1890. Vol. 4. № 5. P. 193–220. as protection of private information from its spread through the media. In the mid-twentieth century, Alan Westin2Westin A. Privacy and Freedom. New York: Atheneum, 1967. wrote that the individual has a right to decide what information about himself or herself should be communicated to others and under what circumstances. Then, William Parent stated that privacy was a moral value3Parent W. Privacy, Morality, and the Law // Philosophy and Public Affairs. 1983. Vol. 12. № 4. P. 269–288.. He describes personal data as information that people usually prefer not to disclose, like their health status, financial status, or sexual life. It was philosopher Adam Moore4Moore A. Intangible Property: Privacy, Power, and Information Control // American Philosophical Quarterly. 1998. № 35. P. 365–378. who introduced the concept of access control and argued that protection of privacy was necessary to be independent in public life. Later, the American philosophical tradition has focused on the problem of loss of privacy in an information society as well as on the search for ways to protect personal information and to determine the limits for external interference in a person’s life5Solove D. A Taxonomy of Privacy // University of Pennsylvania Law Review. 2006. Vol. 154. P. 477–564..
Today, the terms privacy, information privacy, data privacy, data protection are used to outline the human right to control the collection and processing of personal data by governments and private entities. It was successfully described by the Constitutional Court of Germany as the right to information self-determination in its 1983 judgment (German). The court ruled that: “[…] the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights in the German constitution. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data. Limitations to this informational self-determination are allowed only in case of an overriding public interest.”
In legal documents of the Council of Europe, the European Union, and Russia, sensitive personal data (data on ethnicity, political views, religious or other beliefs, health status and sexual life, criminal record) is identified as a special category of information that requires stricter measures of protection.
The EU’s General Data Protection Regulation introduces uniform standards for processing personal data. The key idea is to give consumers real control over their information. The GDPR toughens requirements for legal entities to follow data protection standards: fines for violations may total up to €20 million or 4 percent of revenues, whichever is greater. The Regulation is implemented directly throughout the European Union.
The EU’s General Data Protection Regulation is harmonized with the norms set out by the Council of Europe through the 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, its Additional Protocol, and through the European Convention on Human Rights. In particular, the current approach defines personal data as any information about individual which can identify him or her directly or indirectly in aggregate with other information (this is similar to the Russian “law on personal data”). In addition to known elements like name, date of birth, personal number, credit cards, postal address, residential address, e-mail address, phone number, photos and videos, the EU Regulation includes geolocation, IP-address, and cookies. Overall, any information can be considered personal data in different situations.
The European Court of Human Rights has long implemented personal data processing standards in the ‘states – individuals’ relations as a part of the right to respect for private and family life (Art. 8 of the European Convention). In fact, the GDPR applies the same approach to business companies and other organizations. To comply with EU data protection rules, they must follow key principles of data processing, namely legitimacy, transparency, targeted data collection, data minimization, accuracy, data storage restriction, integrity, and confidentiality. In addition, they must ensure the security of personal data and notify affected individuals about leaks, data corruption or destruction. ‘Sensitive data’ (ethnicity, political views, religion, trade union membership, health status, sexual orientation, genetic and biometric data) are generally excluded from processing, but may be processed exceptionally.
The GDPR requires operators to be transparent and understandable in communication with users. Companies are expected to explain to people in detail how exactly and for how long they are going to use their data. Also, they are obliged to respond to users’ requests for access to their data or its deletion.
Rights for citizens
The GDPR introduced the right of users to access their data, be provided with a copy and receive any relevant additional information (such as the reason for processing their personal data, the categories of personal data used, etc.). The New York Times has called this option ‘radical’. Journalists have conducted an experiment to show differences in data privacy rights in Europe and the United States, requesting personal data from analytical services, Amazon, Facebook, Twitter and LinkedIn to get a sense of how easy it is for people in Europe to access their personal information compared to US users. It turned out that, firstly, EU citizens had more civil rights than the US users even under pre-GDPR regulation; secondly, social networks are equally secretive toward both European and US users. In Russia, the legislator consider personal data as an element of national security and digital sovereignty. The Russian data protection law has rules for businesses and organizations as tough as the European ones. However it does not provide an individual with real civil rights to control how his or her personal data is collected by businesses and the state.
Among the other civil rights provided by the GDPR is the right to object, allowing individuals to ask a company to stop processing their personal data. But the GDPR is also very explicit that the right to object is not absolute; like other civil rights, it can be restricted when it conflicts with the public interest. Among new procedures in data protection regulation is the data portability right when users can ask companies for their personal data to be transferred to them or to another company. The right to be forgotten is reinterpreted by the new regulation. It is not a new right in the European Union but until now it has been interpreted as allowing individuals to demand the removal of outdated or misleading information about themselves. It has largely been applied in the public sphere through requests made to Google to remove search entries about individuals. Now, under GDPR, the right to be forgotten is defined as the right to delete information, not to correct search results. It also can be restricted to ensure freedom of expression or another public interest.
The GDPR has an extraterritorial effect and applies to all companies that process personal data of EU citizens, regardless of location. Russian companies (Aeroflot, Sberbank) have thus released updated versions of their privacy policies. A report on the potential impact of the GDPR on Russian companies by the Russian Internet Research Institute concludes that the European and Russian law standards are poorly harmonized: “In practice, Russian companies targeting users in the EU will be under ‘double encumbrance’.”
The key question now is whether the European Data Reform will influence the business model of such companies as Google and Facebook. The recent scandal around Cambridge Analytica has shown that social media is an absolutely non-transparent market where users’ data is the currency. Default privacy settings allow companies to gain access to huge amounts of data.
In general, it seems like business intends to keep the status-quo (‘data in exchange for convenience’), just offering customers a new agreement with which they can agree or not, but without an opportunity to exert real influence on it. Eventually, the application of the law on national level and on that of European Court of Justice case-law will show whether the paradigm for protecting data privacy has really shifted in Europe.
|↑1||Warren S., Brandeis L. The Right to Privacy // Harvard Law Review. 1890. Vol. 4. № 5. P. 193–220.|
|↑2||Westin A. Privacy and Freedom. New York: Atheneum, 1967.|
|↑3||Parent W. Privacy, Morality, and the Law // Philosophy and Public Affairs. 1983. Vol. 12. № 4. P. 269–288.|
|↑4||Moore A. Intangible Property: Privacy, Power, and Information Control // American Philosophical Quarterly. 1998. № 35. P. 365–378.|
|↑5||Solove D. A Taxonomy of Privacy // University of Pennsylvania Law Review. 2006. Vol. 154. P. 477–564.|