Personal-data privacy: New EU rules are ‘a giant step, given the current situation’

For the researcher Olivier Ertzscheid, author of the New Declaration of Independence of Cyberspace, the forthcoming European General Data Protection Regulation is an important step forward for internet users

(Originally published by VoxEurop )

Does the General Data Protection Regulation (GDPR) , which enters into force on 25 May, represent progress in returning autonomy to internet users or is it just another restriction on use of the internet by platforms and users?

It is undeniably an important step forward, both for the rights of internet users and also to provide a sufficiently coercive legal framework for the major platforms. Coercion which can ultimately be virtuous, as the Facebook-Cambridge-Analytica scandal is currently showing. Who would have believed only a few months ago that Mark Zuckerberg would become a zealous defender of the GDPR?

Will the planned penalties be effective against platforms whose turnover approaches the figures of certain European countries' GDP?

One can always point to the ratio between the platforms' revenues and the financial penalties which seem small in comparison. But we should not lose sight of what is important. The taxation issue must be dealt with and I support much heavier penalties than the current ones. The amount of the fine is less important than having guarantees that fines will be issued and paid. But in the case of the GDPR and personal-data protection, platforms can now clearly see what is at stake in terms of image and public opinion. Having leverage on their popularity and brand image is often more effective than the threat of financial penalties.

Is the system of opt-ins concerning personal data not an obstacle to the development of online business and, in the end, an obstacle to the digitalization of the economy?

I do not think so. Google recently announced that it was going to deploy "non-personalized" adverts, and Facebook has indicated that it will not only apply the GDPR in Europe but also use it as inspiration elsewhere. It is for states and Europe to create a dynamic, a virtuous cycle, in which the digital economy can continue to prosper, while tackling rent-seeking and reducing the abuses encouraged by the current lack of a legal framework around personal data. Many analysts fear that the GDPR will be an additional burden on European business in a globalized market, but really the Cambridge Analytica affair shows that this new framework can be an example of harmonization which does not hinder competition and indeed allow new actors to compete on terms which better respect our privacy.

Do the regulation's measures allow users to express genuinely informed consent as to the use of their personal data?

They are a first step. A giant step, given the current situation.

In 2019 the ePrivacy regulation, on privacy protection, is due to enter into force. It will replace the eponymous directive. Taken together with the GDPR, will this ensure the protection of European citizens?

Such a claim would be premature. We will need to see, in particular, how the major platforms implement it in practice. The fact that they seem inclined today to do so properly does not mean that the European institutions, or the tax authorities, can lower their guard.

In your New Declaration of Independence of Cyberspace you claim that "Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you." And yet membership of platforms and social networks is voluntary and users must approve the terms of service (ToS) before signing up, is that not correct?

Yes but everyone knows that reading the ToS is a fool's game. Nobody reads them really, and for those who do make the effort it is difficult to understand everything. As a congressman remarked to Mark Zuckerberg during his hearing on 10-11 April, the ToS need to be much shorter and clearer if the average user is to understand them.

What is the best way of ensuring that users really understand the ToS of the services they use?

Prior and explicit consent for the collection of all data – that is a first step. The reason for collecting data must also be made explicit: why, by whom, in what conditions and to what ends will the data be collected? And for how long. In terms of ergonomy and design, tools must be created to allow users to engage more easily with the ToS. And it must be possible to check, regularly, that the ToS have not changed.

What is the digital "social contract" that you mention?

The same one (but more modestly of course) as Rousseau's. Cyberspace is a "milieu" and not a distinct space from that of the law. The same laws as those of nations must therefore be applied, but we also need a coherent legal framework which takes account of certain characteristics of this milieu. An example is the Creative Commons copyright licences, proposed by Lawrence Lessig when he was professor of law at Harvard. These provide a framework which respects the rights of content creators while taking into account the internet's logic of mass distribution and appropriation.

More generally this "social contract" must be defined by the yardsticks of emancipation and capacitation. Digital ecosystems bring these benefits "naturally" but, because of an entirely deregulated economic model, they have too often been turned into tools of alienation.

The internet was conceived and born as a democratic space par-excellence. Is that still the case?

I believe so. At least if we are talking about that space outside the "walled gardens" and "applications" that stifle us and have nothing democratic about them. But, these apart, there fortunately still exist spaces of genuine freedom where, contrary to popular belief, anonymity and pseudonymity do not prevent well-reasoned debate where all opinions are respected.

blog comments powered by