Europe’s data regulation conundrum
The European General Data Protection Regulation (GDPR) came into force last month. It is heartening that the EU is taking individual privacy seriously. But for all of the bureaucracy created, it doesn’t address the biggest danger: government abuse of personal data.
Since last month the European General Data Protection Regulation (GDPR) has been in force. It is clear both that digital privacy must be protected and that new technologies need a new approach. Data protection is extremely important, but the question is what kind of regulation does it need, and how much?
In principle, we should be glad that the European Union sees data protection – and therefore individual privacy – as important. But is that concern the only reason for the new regulation, or are there other agendas at work?
Government data collection
In recent years, diverse new regulations have required local, national and supranational authorities to collect individuals’ financial and personal data. Huge amounts of financial information are stored and exchanged between fiscal authorities, without any consideration for the individual’s right to privacy. Municipalities and local governments also collect a lot of personal data of various types. Such files are vulnerable to hacking, but also misuse by the authorities.
In 2006, the European Union issued the Data Retention Directive, which required countries to store all their citizens’ telecommunications for between six and 24 months. Such measures might help prosecute crimes, but do not necessarily help prevent them. Moreover, they are a deep intrusion into personal privacy and leave a lot of room for abuse.
There is no shortage of examples. Some of the least worrisome instances include policemen checking ex-girlfriends’ communication records. The much bigger danger is that the data may be exploited for political reasons. History shows that even democratic governments have made use of such opportunities. The Court of Justice of the European Union (CJEU) ruled the Data Retention Directive violated fundamental rights and declared it void. However, most member states still enforce this law.
Commercial data collection
Another facet receives a lot of attention: information stored by companies like Google and Facebook. In the case of Google, behavior can be monitored, but people are still not forced to give the company this information. In practice, however, it is difficult to avoid. With Facebook, nobody is forced to enter their information and its use is not essential. Still, many are tempted to use it, especially the young and inexperienced. Here, it is necessary to educate people on the danger of potential data misuse. It is obvious that Facebook must handle the commercial use of data responsibly, and should receive the specific consent of those entering information when using it. Companies like Amazon and Apple also collect a lot of data.
The danger of misuse by governments is much bigger; they have the power to introduce repressive measures.
However, the danger of misuse by governments is much bigger, because they have the power to enforce data collection and introduce repressive measures. The GDPR is not really applied to data held by public institutions because they are subject to special laws, as is the automatic exchange of information between financial services and tax authorities. Data collection should be safe, but cases of data theft, leakage and loss are abundant and damage the spirit of the GDPR. It becomes extremely dangerous when tax and financial data are exchanged with countries where crime and/or corruption rates are high.
Unfortunately, despite the huge bureaucratic processes created by the GDPR, the regulation is widely useless as long as public authorities do not limit their data collection to a necessary minimum. It could, however, also be considered a European measure against American firms’ dominance in digital commerce, especially companies like Apple, Google, Facebook and Amazon. But as long as Europe is unable to present credible alternatives to these businesses, the GDPR will also remain inefficient in this area.