Computers, Privacy & the Constitution

View   r4  >  r3  ...
AvrahamTsikhanovskiFirstPaper 4 - 21 Jul 2024 - Main.AvrahamTsikhanovski
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

The Rise and Fall of the GDPR

>
>

How the GDPR’s Failure is a Feature, Not a Bug

 
Changed:
<
<
-- By AvrahamTsikhanovski - 03 Mar 2024
>
>
-- By AvrahamTsikhanovski - 21 July 2024
 

Introduction

Changed:
<
<
When the European Union adopted the General Data Protection Regulation in 2016, many celebrated its passage as a milestone in information privacy and human rights, calling it the “world's strongest set of data protection rules.” Indeed, there was much to celebrate with the passage of this regulation, as it imposed strict guidelines on entities processing personal data of individuals within the European Union. These guidelines include storage limitations (restricting the storage of personal data to only the amount necessary), confidentiality (restricting access to data only to those processing it), and data minimization (gathering and keeping only the exact amount of data that is needed to provide a particular service), as well as others. The GDPR would also impose harsh penalties on anyone violating its terms. Evidence of the groundbreaking nature of the GDPR was evident shortly after its passage. In the two year period leading up to its implementation, companies that fell under the scope of the GDPR complained heavily about the burdens of complying with its regulations, and fear of the harsh penalties that the regulation would impose on violators. Before long, other governments followed the lead of the EU and began passing regulations that either copied or closely resembled the GDPR. Examples include Turkey, the United Kingdom, and the State of California. In the last few years, other U.S. states, such as Colorado, Virginia, and Utah have passed similar laws to the GDPR or its California equivalent, the California Consumer Privacy Act. As is often the case whenever certain states pass regulations targeting a specific sector, the conversation regarding federal intervention inevitably starts up. In this case, proponents of stronger privacy laws in the United States have argued that there is a strong need for the federal government to pass its own privacy laws, as it would protect more people and create a level of uniformity for privacy laws nationwide, instead of having inconsistent laws in different states. Although the passage of federal regulations that mirror the GDPR would be an enormous leap forward for regulating privacy in the United States, the prospect of a federal implementation should have us evaluate where the GDPR failed to deliver, and what a federal privacy regulation can do to make up for the GDPR’s shortcomings. This paper will argue that while the GDPR is a productive step forward, it has failed by allowing for loopholes that allow companies to continue with harvesting unnecessary data, and operates off a faulty premise that advantages the regulation of personal data instead of imagining a reality where the collection of personal data would be proscribed altogether.
>
>
When the European Union adopted the General Data Protection Regulation in 2016, many celebrated its adoption as a milestone in information privacy and human rights, calling it the “world’s strongest set of data protection rules.” Indeed, there was seemingly a lot to celebrate with the passage of this regulation, as it imposed seemingly strict guidelines on entities processing personal data of individuals within the European Union. These guidelines included storage limitations (restricting the storage of personal data to only the amount necessary), confidentiality (restricting access to data only to those processing it), and data minimization (gathering and keeping only the exact amount of data that is needed to provide a particular service), as well as others. The GDPR would also impose harsh penalties on anyone violating its terms. Evidence of the groundbreaking nature of the GDPR was evident shortly after its passage. In the two year period leading up to its implementation, companies that fell under the scope of the GDPR complained heavily about the burdens of complying with its regulations, and fear of the harsh penalties that the regulation would impose on violators.

Before long, other governments followed the lead of the EU and began passing regulations that either copied or closely resembled the GDPR. Examples include Turkey, the United Kingdom, and the State of California. In the last few years, other U.S. states, such as Colorado, Virginia, and Utah have passed similar laws to the GDPR or its California equivalent, the California Consumer Privacy Act.

As is often the case whenever certain states pass regulations targeting a specific sector, the conversation regarding federal intervention inevitably reignites. In this case, proponents of stronger privacy laws in the United States have argued that there is a strong need for the federal government to pass its own privacy laws, as it would protect more people and create a level of uniformity for privacy laws nationwide, instead of having inconsistent laws in different states. Although the passage of federal regulations that mirror the GDPR would be an enormous leap forward for regulating privacy in the United States, the prospect of a federal implementation should have us evaluate where the GDPR failed to deliver, why it failed to deliver, and what a federal privacy regulation can do to re-envision privacy rights in the United States.. This paper will argue that while the GDPR had the optics of being a step forward for privacy rights, it was actually designed to allow the status quo of systemic and omnipresent data harvesting to persist and thrive, and merely served as an act of political theater, duping the privacy-conscious into thinking that meaningful change was being enacted. In short, this paper will argue that the GDPR’s shortcomings are a feature, and not a bug.

 

The GDPR's Loopholes

Changed:
<
<
The first loophole that companies exploit to continue to harvest data from users comes in the form of “dark patterns.” Although there is no legal definition of this term, they are understood as “practices in digital interfaces designed to direct, deceive, coerce or manipulate users into making choices against their best interests.” That means that a user, in addition to being overwhelmed by the fine print that demands for their consent before they access a website, also has to contend with a deceptive user interface that would trick them into giving data harvesters consent to use their data. An example of this would be a cookie consent notice that does not have a clear “reject” button. Although EU institutions have started to crack down on dark patterns, it is unclear whether these crackdowns will impact the cookie consent notices required by GDPR. The second loophole that companies exploit concerns the vagueness surrounding much of the language used in the regulation. There are six bases for data processing to be lawful. One of them is consent, which was discussed in the previous paragraph, but there are five other bases that provide data harvesters with opportunities to exploit legal loopholes with which they can harvest more data. For example, another justification for the “collection, handling, and/or storage of people’s personal data” is when “you have a legitimate interest to process someone’s personal data.” The vague nature of this basis is ripe for abuse, and companies, armed with armies of lawyers, can quickly use this justification to harvest data that should otherwise be prohibited.
>
>
The first piece of evidence pointing us to the conclusion that the GDPR was designed to be a piece of political theater concerns a loophole that companies exploit to harvest data known as “dark patterns.” Although there is currently no set legal definition for this term, “dark patterns” are commonly understood as “practices in digital interfaces designed to direct, deceive, coerce or manipulate users into making choices against their best interests.” That means that a user, in addition to being overwhelmed by the fine print that demands for their consent before they access a website, also has to contend with a deceptive user interface that would trick them into giving data harvesters consent to use their data. An example of this would be a cookie consent notice that does not have a clear “reject” button. If the GDPR truly wished to grant users agency in determining where their data goes, wouldn’t it have proscribed this practice from the get-go?

The second loophole that companies exploit concerns the vagueness surrounding much of the language used in the regulation. There are six bases for data processing to be lawful. One of them is consent, which was discussed in the previous paragraph, but there are five other bases that provide data harvesters with opportunities to exploit legal loopholes with which they can harvest more data. For example, another justification for the “collection, handling, and/or storage of people’s personal data” is when there is a “legitimate interest to process someone's personal data.” The vague nature of this basis is ripe for abuse, and companies, armed with armies of lawyers, can quickly use this justification to harvest data that should otherwise be prohibited. Again, if the GDPR was truly concerned with creating a new standard and regime for privacy, would it really use language that corporations will gleefully abuse?

 

Reimagining Privacy Law in the U.S.

Changed:
<
<
Finally, the shortcomings of the GDPR relate to its goals. Richard Stallman, president of the Free Software Foundation, argues that at a time when the “surveillance imposed on us today far exceeds that of the Soviet Union,” there is an urgent need for “a law to stop systems from collecting personal data” instead of one that merely regulates how personal data may be used. Instead of having a status quo where companies collect and process data that is subject to regulation, our status quo should be that we “require systems to be built so as not to collect data about a person.” Of course, this would be a radical reimagining of our current American system, that allows for companies to harvest as much data as they want from individuals. Even the passage of a stop-gap measure equivalent to the GDPR seems unlikely as of now. But this should not preclude us from attempting to try and use the national conversation surrounding privacy laws from pushing a more ambitious and revolutionary approach to privacy and human rights. After all, democracy, freedom, and human rights are on the line.
>
>
Mark Zuckerberg published an op-ed in 2019 calling for the adoption of GDPR-style regulations in the United States. Now, why would someone who has become one of the richest men in the world harvesting data, call for regulations that would seemingly hurt the very industry he pioneered? It must be because the GDPR and its progeny do little to actually limit or extinguish data harvesting. When reimagining what data privacy laws look like in the United States, we need to go far beyond laws that act as political theater. Instead, we need to re-envision privacy rights as a form of human rights, and create laws that ban any loopholes in data harvesting, empower citizens with knowledge that will allow them to use the internet in a way that protects the sanctity of their privacy, enforce penalties that would destroy companies that violate data privacy laws, and reframe the conversation about data privacy as a battle between freedom and despotism. Anything else will always just be political theater.
 
I don't quite understand why we should conclude that GDPR has failed because it has loopholes. On that basis all tax law has always failed. I think that's a red herring. The US doesn't have an absence of data protection law: it has a carefully-engineered no-law zone, a system of immunity and subsidy through reduced legal liability like that benefiting the railroads and other "active users" in the antebellum us economy that Morton Horwitz described nearly half a century ago in The Transformation of American Law. It's not an oversight or a legal failing. It's a political decision coherently maintained for decades and apparently very successful as national industrial and strategic policy. To describe that policy as

Revision 4r4 - 21 Jul 2024 - 17:19:47 - AvrahamTsikhanovski
Revision 3r3 - 24 Apr 2024 - 19:41:36 - AvrahamTsikhanovski
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM