Computers, Privacy & the Constitution

The Rise and Fall of the GDPR

-- By AvrahamTsikhanovski - 03 Mar 2024

Introduction

When the European Union adopted the General Data Protection Regulation in 2016, many celebrated its passage as a milestone in information privacy and human rights, calling it the “world's strongest set of data protection rules.” Indeed, there was much to celebrate with the passage of this regulation, as it imposed strict guidelines on entities processing personal data of individuals within the European Union. These guidelines include storage limitations (restricting the storage of personal data to only the amount necessary), confidentiality (restricting access to data only to those processing it), and data minimization (gathering and keeping only the exact amount of data that is needed to provide a particular service), as well as others. The GDPR would also impose harsh penalties on anyone violating its terms. Evidence of the groundbreaking nature of the GDPR was evident shortly after its passage. In the two year period leading up to its implementation, companies that fell under the scope of the GDPR complained heavily about the burdens of complying with its regulations, and fear of the harsh penalties that the regulation would impose on violators. Before long, other governments followed the lead of the EU and began passing regulations that either copied or closely resembled the GDPR. Examples include Turkey, the United Kingdom, and the State of California. In the last few years, other U.S. states, such as Colorado, Virginia, and Utah have passed similar laws to the GDPR or its California equivalent, the California Consumer Privacy Act. As is often the case whenever certain states pass regulations targeting a specific sector, the conversation regarding federal intervention inevitably starts up. In this case, proponents of stronger privacy laws in the United States have argued that there is a strong need for the federal government to pass its own privacy laws, as it would protect more people and create a level of uniformity for privacy laws nationwide, instead of having inconsistent laws in different states. Although the passage of federal regulations that mirror the GDPR would be an enormous leap forward for regulating privacy in the United States, the prospect of a federal implementation should have us evaluate where the GDPR failed to deliver, and what a federal privacy regulation can do to make up for the GDPR’s shortcomings. This paper will argue that while the GDPR is a productive step forward, it has failed by allowing for loopholes that allow companies to continue with harvesting unnecessary data, and operates off a faulty premise that advantages the regulation of personal data instead of imagining a reality where the collection of personal data would be proscribed altogether.

The GDPR's Loopholes

The first loophole that companies exploit to continue to harvest data from users comes in the form of “dark patterns.” Although there is no legal definition of this term, they are understood as “practices in digital interfaces designed to direct, deceive, coerce or manipulate users into making choices against their best interests.” That means that a user, in addition to being overwhelmed by the fine print that demands for their consent before they access a website, also has to contend with a deceptive user interface that would trick them into giving data harvesters consent to use their data. An example of this would be a cookie consent notice that does not have a clear “reject” button. Although EU institutions have started to crack down on dark patterns, it is unclear whether these crackdowns will impact the cookie consent notices required by GDPR. The second loophole that companies exploit concerns the vagueness surrounding much of the language used in the regulation. There are six bases for data processing to be lawful. One of them is consent, which was discussed in the previous paragraph, but there are five other bases that provide data harvesters with opportunities to exploit legal loopholes with which they can harvest more data. For example, another justification for the “collection, handling, and/or storage of people’s personal data” is when “you have a legitimate interest to process someone’s personal data.” The vague nature of this basis is ripe for abuse, and companies, armed with armies of lawyers, can quickly use this justification to harvest data that should otherwise be prohibited.

Reimagining Privacy Law in the U.S.

Finally, the shortcomings of the GDPR relate to its goals. Richard Stallman, president of the Free Software Foundation, argues that at a time when the “surveillance imposed on us today far exceeds that of the Soviet Union,” there is an urgent need for “a law to stop systems from collecting personal data” instead of one that merely regulates how personal data may be used. Instead of having a status quo where companies collect and process data that is subject to regulation, our status quo should be that we “require systems to be built so as not to collect data about a person.” Of course, this would be a radical reimagining of our current American system, that allows for companies to harvest as much data as they want from individuals. Even the passage of a stop-gap measure equivalent to the GDPR seems unlikely as of now. But this should not preclude us from attempting to try and use the national conversation surrounding privacy laws from pushing a more ambitious and revolutionary approach to privacy and human rights. After all, democracy, freedom, and human rights are on the line.

I don't quite understand why we should conclude that GDPR has failed because it has loopholes. On that basis all tax law has always failed. I think that's a red herring. The US doesn't have an absence of data protection law: it has a carefully-engineered no-law zone, a system of immunity and subsidy through reduced legal liability like that benefiting the railroads and other "active users" in the antebellum us economy that Morton Horwitz described nearly half a century ago in The Transformation of American Law. It's not an oversight or a legal failing. It's a political decision coherently maintained for decades and apparently very successful as national industrial and strategic policy. To describe that policy as having the shortcomings of not being yours is a politicsal category error. A draft that granted the current system its intellectual integrity would actually make more headway in showing how it could change.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 24 Apr 2024 - 19:41:36 - AvrahamTsikhanovski
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM