The internet on its way back to a future of human dignity?
One year EU General Data Protection Regulation
The General Data Protection Regulation (GDPR) has come a long way since it was first tabled as proposal by the European Commission on 25 January 2012. Probably, it will be remembered as the biggest achievement of the outgoing Juncker Commission. Despite the fact that Europe plays a second-tier role when it comes to the development and production of data-driven technology and services, research shows that of 132 countries which have national data protection laws at the beginning of 2019 the majority adopts the European ‘omnibus approach’. In other words, the protection of personal data has been promoted from a niche issue that is addressed on case by case basis (the ‘sectoral approach’ which is typical for US regulation) to a universal concern. Even more, privacy in the digital age is a popular human rights issue deserving the care of a ‘dedicated ambassador’ (Special Rapporteur) of the United Nations. Since becoming enforceable, GDPR has been proposed as sort of a gold standard to the international community and people across the world are happy to be ‘protected’ by it – even outside Europe. Corporations such as Facebook have gone from stating that ‘privacy is dead’ in 2010 to boldly claim that ‘the future is private’ in 2019. However, despite its undeniable popularity and societal impact it seems wrong to hail GDPR as the finest of regulatory instruments. As I will aim to demonstrate in this piece there remain important issues for which GDPR is an unsatisfying solution. As the digital layer of societal interaction evolves it will be crucial to take additional measures in the near term. At least, if the goal is to avoid fragmentation of the digital sphere, which for Europeans would result in limitation to the bubble of a ‘bourgeouis internet’.
What GDPR achieves
First, it is important to remember that the regulation of data protection has a rich tradition in Europe that dates back to the 1970ies and which is arguably inspired by regulatory activities in the US. Analysing the basic principles and approach of GDPR, most of the text (considered through a qualitative and quantitative lens) clearly reveals its firm roots in instruments such as Convention 108 of the Council of Europe from 1981. This first international legally binding agreement on automated processing of personal data was recently revised and updated. While GDPR certainly contains additions and some innovations, the core of the regulation is still based on this text. This core remains the most important substantive part of the regulation. Furthermore, the innovative parts of GDPR are still subject to considerable academic discourse on the correct interpretation and implementation. Elements such as the ‘right to be forgotten’ as enshrined in Article 17, or the interpretation of an adequate human review of autonomous-decisions as enshrined in Article 22, are still not broadly understood. This invites the conclusion that the immediate strength of GDPR is not the result from the update of the substance or context of its provisions. GDPR is not strong because of regulatory innovation. The main achievement of GDPR is to be a catalyst of cultural change.
Hence and as second point, procedural elements need to be considered more closely. Arguably, the impact of GDPR rests on two pillars which are both enabling more effective enforcement as a consequence. On the one hand, the extraterritorial reach of the regulation (Article 3) is crucial. Considering the digital sphere from a global perspective, there is practically no significant automated processing activity of personal data in the private or public sector that is not subject to the regulation. This is particularly relevant for large international digital corporations (e.g. Google, Apple, Facebook, Amazon, Microsoft) since their business models are typically cross-border and it is highly likely that they at least ‘monitor individual behaviour of individuals physically located in the EU’ (Article 3 par. 2 lit. b GDPR). On the other hand, the ability for governmental institutions to impose significant fines of up to 4 percent of the total worldwide annual turnover (Article 83) is unprecedented. This means GDPR is a risk-management and compliance issue of significant importance. Since it is literally worth to enforce the regulation it is also more likely that member states across the EU setup capable authorities able to carry out and pursue complex investigations.
In essence, this means that GDPR is not significantly changing the applicable rules from a European perspective. Rather, it is a modest substantive update profiting from a rich tradition combined with the sheer political power of the EU’s internal market which is projected upon the rest of the digital world. This leverage is combined with slightly adjusted oversight mechanisms represented mainly by the European data protection board (EDPB; Article 68-71). However, while this body gets some new tasks and strengthens coordination among member states institutions, the provisions and the changed name predominantly formalize what has already been working increasingly well as ‘Article 29 Working Group’ under the previous regime of the EU Data Protection Directive 95/46/EC from 1995. In recent years, the (non-legally binding) opinions, guidelines and press releases on new developments have gained significant public attention. Nevertheless, it seems that this package of moderate substantive upgrade, significant enforcement leverage based on economic power and oversight mechanism adjustments was enough to correct the course of the global privacy debate and increase the level of protection of individuals across Europe and the world.
What GDPR can and will not do
If the Greek philosopher Heraclitus of Ephesus lived today instead of 2500 years ago, he would probably have become a data scientist. Seemingly, in no other domain his paradigm ‘everything flows’ (pantha rei) is more valid. The internet as information and knowledge infrastructure has become increasingly valuable to humankind since information can be transferred at almost the speed of light and across borders with ease. Additionally, since it is a new and expanding space the governance setup is changing rapidly. As has already been outlined by referring to the substantive core of GDPR, the regulation is in essence a rather conservative answer for such a dynamic environment. One year since the enforcement started that creates predominantly positive results since central principles of personal data collection and processing – which have been true for decades – are now finally being enforced.
However, the real question here is how this assessment will look like in 10, 15 or 23 years from now if GDPR remains enforceable for approximately the same time as Directive 95/46/EC. Most probably, actors will demand that definitions are being updated much sooner and that it will be made more clear what specific provisions ‘mean’ for new and arising technologies. Most likely as in the past, the Court of Justice with its judgments and the EDPB with guidelines will continue to deliver mostly solid guidance to address these gaps. GDPR and its enforcement will face much bigger challenges due to the specific political context it is placed in.
From that perspective, GDPR is a unilateral answer to a multilateral problem in a constantly floating environment. In 2018 that was capable of creating momentum which was already a big bet won by the EU. Usually, countries and citizens do not appreciate the direct impact of extraterritorial legislation. But as technological infrastructure will continue to be upgraded with 5G networks and as systems will become more autonomous – applying machine learning on a cognitive level and distributed ledger-technology on the organisational – the value of unilateral action based on political or economic leverage will increasingly diminish. What is ultimately needed is more trust among the key players shaping digital space. Rather, what we see is a race for ‘digital hegemony’ that is threatening to destruct some of the heritage that was created on and through the Internet over past decades. The provisions of GDPR on jurisdiction and increased fines offer no solutions to that. The only perspective they enable in the long term is the same that countries such as the Russian Federation use already: a truly sovereign, independent and autonomous internet that is based on ‘our values’ and open for business as long as it suits.
More work for Europe and the world
GDPR has achieved a lot one year after it is being enforced, but it is hard to ignore the feeling that it is the solution that society needed yesterday. While the regulation paves the way back to a future of human dignity in the digital age, it is mostly limited to correcting a wrong course. This is an important first step that will ultimately only bear fruit if more efforts follow. What perspectives are there? At this moment, without wishing to focus on gloomy perspectives, (more) fragmentation of digital space is the most likely outcome. However, maybe the substantive core of GDPR is worth revisiting once more. The values and basic truths enshrined in those fundamental provisions might be able to guide to a future with an inclusive and universal digital space. As almost forty years ago, Convention 108 of the Council of Europe which is open for ratification to its 47 member states as well as other countries across the world, might be a good point of departure.
Dr. Oskar Josef Gstrein, MA, LLM is Senior Researcher at the Data Research Center of Campus Fryslân – University of Groningen in the Netherlands. He carries out research in the EU Horizon 2020 project ‘Cutting Crime Impact’ and teaches in the master program ‘Governance and Law in Digital Society’ as well as the minor ‘Data Wise’. At the same time, he is external lecturer at the Europa-Institut of the University of Saarland in Germany.
Cite as: Oskar Josef Gstrein, „The internet on its way back to a future of human dignity?“, Völkerrechtsblog, 29 May 2019, doi: 10.17176/20190530-001838-0.