For the researcher Olivier Ertzscheid, author of the New Declaration of Independence of Cyberspace, the forthcoming European General Data Protection Regulation is an important step forward for internet users.
VoxEurop: Does the General Data Protection Regulation (GDPR), which enters into force on 25 May, represent progress in returning autonomy to internet users or is it just another restriction on use of the internet by platforms and users?
Olivier Ertzscheid: It is undeniably an important step forward, both for the rights of internet users and also to provide a sufficiently coercive legal framework for the major platforms. Coercion which can ultimately be virtuous, as the Facebook-Cambridge-Analytica scandal is currently showing. Who would have believed only a few months ago that Mark Zuckerberg would become a zealous defender of the GDPR?
Will the planned penalties be effective against platforms whose turnover approaches the figures of certain European countries’ GDP?
One can always point to the ratio between the platforms’ revenues and the financial penalties which seem small in comparison. But we should not lose sight of what is important. The taxation issue must be dealt with and I support much heavier penalties than the current ones. The amount of the fine is less important than having guarantees that fines will be issued and paid. But in the case of the GDPR and personal-data protection, platforms can now clearly see what is at stake in terms of image and public opinion. Having leverage on their popularity and brand image is often more effective than the threat of financial penalties.
Is the system of opt-ins concerning personal data not an obstacle to the development of online business and, in the end, an obstacle to the digitalization of the economy?
I do not think so. Google recently announced that it was going to deploy “non-personalized” adverts, and Facebook has indicated that it will not only apply the GDPR in Europe but also use it as inspiration elsewhere. It is for states and Europe to create a dynamic, a virtuous cycle, in which the digital economy can continue to prosper, while tackling rent-seeking and reducing the abuses encouraged by the current lack of a legal framework around personal data. Many analysts fear that the GDPR will be an additional burden on European business in a globalized market, but really the Cambridge Analytica affair shows that this new framework can be an example of harmonization which does not hinder competition and indeed allow new actors to compete on terms which better respect our privacy.
Do the regulation’s measures allow users to express genuinely informed consent as to the use of their personal data?
They are a first step. A giant step, given the current situation.
In 2019 the ePrivacy regulation, on privacy protection, is due to enter into force. It will replace the eponymous directive. Taken together with the GDPR, will this ensure the protection of European citizens?
Such a claim would be premature. We will need to see, in particular, how the major platforms implement it in practice. The fact that they seem inclined today to do so properly does not mean that the European institutions, or the tax authorities, can lower their guard.
In your New Declaration of Independence of Cyberspace you claim that “Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you.” And yet membership of platforms and social networks is voluntary and users must approve the terms of service (ToS) before signing up, is that not correct?
Yes but everyone knows that reading the ToS is a fool’s game. Nobody reads them really, and for those who do make the effort it is difficult to understand everything. As a congressman remarked to Mark Zuckerberg during his hearing on 10-11 April, the ToS need to be much shorter and clearer if the average user is to understand them.
What is the best way of ensuring that users really understand the ToS of the services they use?
Prior and explicit consent for the collection of all data – that is a first step. The reason for collecting data must also be made explicit: why, by whom, in what conditions and to what ends will the data be collected? And for how long. In terms of ergonomy and design, tools must be created to allow users to engage more easily with the ToS. And it must be possible to check, regularly, that the ToS have not changed.
What is the digital “social contract” that you mention?
The same one (but more modestly of course) as Rousseau’s. Cyberspace is a “milieu” and not a distinct space from that of the law. The same laws as those of nations must therefore be applied, but we also need a coherent legal framework which takes account of certain characteristics of this milieu. An example is the Creative Commons copyright licences, proposed by Lawrence Lessig when he was professor of law at Harvard. These provide a framework which respects the rights of content creators while taking into account the internet’s logic of mass distribution and appropriation.
More generally this “social contract” must be defined by the yardsticks of emancipation and capacitation. Digital ecosystems bring these benefits “naturally” but, because of an entirely deregulated economic model, they have too often been turned into tools of alienation.
The internet was conceived and born as a democratic space par-excellence. Is that still the case?
I believe so. At least if we are talking about that space outside the “walled gardens” and “applications” that stifle us and have nothing democratic about them. But, these apart, there fortunately still exist spaces of genuine freedom where, contrary to popular belief, anonymity and pseudonymity do not prevent well-reasoned debate where all opinions are respected.
Translated by RX
This article is published in association with the European Parliament.
This article has been produced within the project The Parliament of Rights, co-funded by the European Union. The contents of this publication are the sole responsibility of Osservatorio Balcani e Caucaso Transeuropa and its partners and can in no way be taken to reflect the views of the European Union.
Factual or translation error? Tell us.
Europeans will benefit a state-of-the-art data protection
On 25 May the General Data Protection Regulation (GDPR), which aims at “protecting and empowering all EU citizens data privacy and to reshape the way organizations across the region approach data privacy” will become enforceable, thus directly binding and applicable by the EU member states. It will replace the data protection directive of 1995.
The regulation was adopted on 27 April 2016 and intends to “strengthen and unify data protection for all individuals within the European Union”. It also addresses the export of personal data outside the EU, and to “give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.” The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. Under GDPR organizations in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 Million (whichever is greater). The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms of service full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.