GDPR - 2 years on.

The term ‘data protection’ has been used so excessively that it has begun to lose its meaning. It comes as no surprise then that efforts to regulate this field have proven challenging, with many left to wonder whether said laws provide adequate protection or a false sense of security. In May of 2018, the EU Data Authority introduced a new regulation, named the “General Data Protection Regulation”. It is said to be a monumental step forward in the rather piecemeal efforts to reform data protection regulations, billed as the gold standard of data protection[1], giving ordinary people precedential control over the personal data that corporations hold. But does GDPR live up to its name?

“There’s no doubt the huge potential that creative use of data could have … but the price of innovation does not need to be the erosion of fundamental privacy rights.” - Elizabeth Denham, Head of Data Protection Authority, ICO [2]

The tale of Cambridge Analytica, the harvesting of the personal data of up to 87 million Facebook users by an analytics firm for political advertising purposes[3], is no stranger to public discontent. The biggest takeaway from Cambridge Analytica is that privacy and democracy have become inextricably linked. Privacy has been sitting on the front line in a battle between tech and democracy for a long time; if data protection fails, so does whatever limited notion of democracy we had remaining. While cutting-edge technology such as artificial intelligence and data analytics reshapes and improves our society, it poses fresh challenges. There is an ever-increasing volume of personal data being shared, a growing reliance on automated algorithmic processes to analyse said data, and a lack of adequate monitoring. GDPR was supposed to mitigate the latter. 

Despite giving consumers greater control of how their personal data is collected and used, often they are puzzled as to how they can actually take advantage of the protection afforded to them by GDPR. Hidden behind the legal jargon of T&Cs, the layman may not find it accessible. ‘Around 270,000 users whose information was scraped by Cambridge Analytica had consented to having their data collected’[4], but data of millions more were ill-obtained through Facebook. While many were hopeful that GDPR would rein in power of tech giants like Google and Facebook, the conspiratorial truth is they continue to profit from the gold rush in data mining. ‘GDPR would not help if users agree to allow their data to be harvested,’[5] said Nigel Tozer, a GDPR expert of Commvault, a data backup and recovery company. Article 15 of the GDPR states, ‘the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed’[6]. However, being the data subject yourself, do you know which data controller to ask? Are you aware of the recipients or categories of recipients who process your personal data? The lack of transparency in all stages, from data identification to data analysis, is clear, and providing you with the right to ask for information, without knowing precisely who to ask and what to ask for, appears to be an inadequate solution.

“I may be comfortable with a corporation helping form my choice of dessert, but not my choice of political candidate.”

Data analytics, as the name suggests, refers to the analysis of data in the attempt to discover meaningful patterns with the use of algorithms. Data analysis allows for unique insights, from commercial and marketing insights that can help induce consumption to political insights that can be detrimental to the public interest. Data analytics includes uses of data that surpass human understanding; yes, it can allow us to tap into new supply and demand possibilities that create economic and social value, but it also raises a variety of data protection issues. How can we ensure that the data has been processed in a legitimate fashion, i.e. in compliance with applicable laws and with the knowledge of the data subjects?[7]

Data analysis raises a few questions that we as a society have to answer: how can our data be used, and for what? I may be comfortable with my data being used for commercial advertising: if Company X knows that consumers of Chocolate Bar A are 85% more likely to enjoy Chocolate Bar B, and I like Chocolate Bar A, then maybe I wouldn’t mind seeing an advertisement for Chocolate Bar B. But if Company Y knows that those who share Opinion A are likely to vote for a certain political candidate and I (publicly) share Opinion A, personally, I wouldn’t want to see a political ad for said candidate. That’s because I may be comfortable with a corporation helping form my choice of dessert, but not my choice of political candidate.  

We are years away from a solution. GDPR is only a step in the right direction towards adequate data protection. Soft laws or nebulous concepts such as ‘trustworthy AI’[8] will not successfully repair our broken data ecosystem[9]. There is an urgent call for corporations to put data protection as a top priority beyond mere legal compliance, and to implement improved ways of handling our data through its life cycle[10]. There is a need to educate the public on potential uses of their data and how to access the ways in which our data is used. This would perhaps mean upending the power balance – reclaiming our control of our personal data. 

[1] Alex Hern, ‘What is GDPR and how will it affect you?’ (The Guardian, 2018)

[2] Serge Gutwirth and Paul de Hert, Data Protection and Privacy: The Internet of Bodies, (Bloomsbury Publishing, 2018)

[3] Cecilia Kang and Sheera Frenkel, ‘Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users’, The New York Times (New York, 4 April 2018)

[4] Yuliya Talmazan, ‘What is GDPR? A look at the European data privacy rules that could change tech’ (NBC News, 2018)

[5] ibid.

[6] Paul Viogt, Axel von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, (Springer, 2017)

[7] Simon Mortier, Julien Debussche, Jasmien Cesar, ‘Big Data & Issues & Opportunities: Privacy and Data Protection’ (Bird & Bird, 2019)

[8] Olga Finkel and Tessa Schembri, ‘Regulating Trustworthy AI: a Fundamental-rights Based Approach’ (WH Partners, 2019)

[9] Matt Burgess, ‘What is GDPR? The summary guide to GDPR compliance in the UK’ (Wired, 2020)

[10] Jennifer Lund, ‘What is GDPR and how does it impact your business?’ (SuperOffice, 2020)

About the author:
Allison Leung is a third-year Law and Business Studies student at the University of Warwick. She plans on pursuing a career in commercial law. Through her academic and professional experience, she has developed an interest in financial service regulation and dispute resolution.

 As a passionate writer, her poem ‘The Fathers of the Oviraptor’ was shortlisted by the Hong Kong Young Writers Awards at the age of 15.

Connect with the author on LinkedIn.