By Caroline Lancelot-Miltgen, Professor at Audencia Business School
It is almost three months now since the European Parliament in Brussels introduced the new General Data Protection Regulation (GDPR) developed by the European Union. GDPR makes companies accountable for the use they make of personal data of all European citizens.
But could the spirit of the regulation still be lacking while companies simply apply the letter of the law? Does it really go far enough to protect citizens?
As consumers, there are several risks associated with sharing our personal data. First, pretty much all of our online activities are constantly monitored and can be linked together to form a very precise picture of who we are, what we do, our likes and dislikes, our political stances and so on. This can easily be used for purposes we have not agreed to, as seen in the Cambridge Analytica scandal.
A second risk is that it makes us vulnerable to discrimination of various kinds. For instance, studies have shown that websites on which travel or hotels are booked collect information about the type of computer we use. These companies can then use this information to deduce our purchasing power, and adjust their pricing policy accordingly.
A third risk is the use of filter bubbles. Algorithms collect our data to reconstruct our profiles, to know our tastes, which then influences what information is offered to us by digital services. Thus, we are only shown information based on what is supposed to interest and please us, which excludes other content which might better inform us. This keeps us within our own bubble and does not give us access to a full range which might offer us more and better choices.
Of course, the big question is: how will all this affect our fundamental freedoms? Data protection activists say that much of our freedom has already been lost: we are already being tracked, watched and monitored to an unacceptable degree. While I wouldn’t go that far, I would agree that there is some truth in this. It is very important that people are made fully aware of what is involved in data collection and are in a position to make informed decisions about their use. Unfortunately, there is a lot of confusion out there! While enjoying the benefits of digital services, most people are still unaware of many of the dangers around data collection and use, and I am sceptical of whether the newly introduced European regulation will be enough to offer adequate protection. The letter of the law will, of course, be applied, and the penalties for not doing so are such that companies cannot risk flouting it. But can we really believe that they will all apply it with the whole spirit of the regulation? I think this is highly unlikely. For months preceding the application of the new law, multinational companies have started lobbying actions to add legal exceptions to it.
Prior to and just after the implementation of the GDPR, we all received a lot of emails from companies warning us that the general conditions of use of services were changing. But these warnings are more about protecting the company rather than informing the consumer. They are as incomprehensible as ever – written by lawyers for lawyers – leaving the consumers as mystified as before, and still giving consent to something about which they are not fully informed.
I do not know of a single ordinary citizen who has actually read and understood the full text of any terms and conditions. The current problem is that consumers see the advantages of using digital services but the majority of them are blind to the risks to which they expose themselves by using these services and letting those services accessing their personal data. Simply issuing a new piece of regulation is not enough because the main issue is this lack of awareness of how our personal data might be used. What we should be doing is educate people on all the risks associated with the possible (mis-)use of our personal data. This public awareness-raising effort is paramount, and it is the responsibility of all stakeholders to undertake it.
Information is power! There is of course a great need for this regulation, but it must go hand in hand with the education of consumers, from a very young age, about the risks associated with digital services. This has to be conducted not only by public authorities, but by parents, in schools, in libraries and the workplace, even on social media itself, as this is an area in which we all have our own responsibility. Indeed, the Court of Justice of the European Union judged a German case on June 5, 2018 and considered that administrators of Facebook fan were responsible for the processing of the data of their users in the same proportions as Facebook was. We cannot just say, “It’s outrageous!” Especially if you have created a Facebook account and have been posting there all your life.