| |
| META TOPICPARENT | name="FirstEssay" |
|---|
| |
<
< | Regulating Privacy: What Is the Point? | >
> | Amending in progress Regulating Privacy: What Is the Point? | | | -- By ClementLegrand - 03 Nov 2016
Introduction | |
<
< | On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR) (1), replacing a directive dating back from 1995. This regulation is 88 pages long and intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR). | >
> | On the 27th of April 2016, the European Union officially published the General Data Protection Regulation (GDPR), replacing a directive dating back from 1995. This regulation intends to regulate, as from the 25 may 2018, the processing (i.e. any operation which is performed on personal data) of personal data (i.e. any information relating to an identified or identifiable natural person) in Europe (2). The European Union opted for the approach of adopting one single normative instrument to regulate every kind of uses of personal data, including collection of data via the Internet. This approach raises several questions. The pervasive nature of the Internet, the constant evolution of the technology, as well as the interests that the States themselves have in collecting information seem to limit the practical effect of adopting regulation in this field. In this paper, I will, shortly but non-exhaustively, develop arguments in favor and against the adoption of such kind of regulation, through examples stemming from the European approach (both under the current European data protection directive and under the GDPR). | | | | |
<
< | Regulation: Pro and Cons
The Territorial Limitation | >
> | Regulation: | | | | |
>
> | Protecting data subject's autonomy | | | | |
<
< | The cyberspace has no borders. A company located in the Silicon Valley can offer its services online to the entire world and collect all kinds of data relating to its users, without having any branch outside of the United States. On the contrary, regulations are very often bound to a specific territory. In certain cases, rules apply to categories of legal entities linked to an organization. But in any case, such limitation of the regulation’s scope to certain places or entities seems to make regulation of privacy on the Internet impossible. As a result, one could question the efficiency of a regulation, especially when it comes to the enforcement of the rights it protects on the other side of the planet. However, this limitation to a territory with respect to data protection should be nuanced. In theory, the GDPR will be applicable to all companies offering services or collecting information regarding European behaviors through a website accessible in Europe (3). In practice, under the current Directive, the European Court of Justice (ECJ) applied the European data protection law to a processing carried out by Google Inc. in California. The ECJ decided that, despite the fact that Google's Spanish entity was not involved directly in the processing of personal data by Google Inc. (the Spanish entity was only in charge of selling advertisements), such processing took place "in the framework" of an establishment of Google, located in Spain (4). Even though the global aspect of the Internet does not allow to regulate every entities processing personal data, regulation can have an extraterritorial effect. | >
> | The privacy is a complex notion. It protects several aspect of an individual's personality. Among these aspects, the ones most commonly invoked are the following: the autonomy, the secrecy, and the anonymity of a person. Because anonymity and secrecy are not always possible (e.g. companies often need to have a list of their employees, a list of their providers and customers, such lists include most of the time some personal data such as names, adresses for deliveries), the GDPR's main goal is to ensure the autonomy of the individuals whose personal data is being processed, through ensuring control by these individuals over their data. Under the GDPR, any natural person (i.e. excluding companies)whose personal data is being processed qualifies as "data subject", and can therefore invoke a series of rights (i.e. the right to be informed, the right to access, the right to rectify, the right to data portability and the right to be forgotten). The GDPR wants to ensure data subjects can control the use that is made of their data. To a certain extent , it also protects secrecy of the data (by regulating the data controler's disclosure of the data) and the anonymity (for example, by requiring a privacy impact assessement and by requiring data controller to ensure privacy by design). | | |
| | |
| |
<
< | (1) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
(2) Article 4 (1) and 4(2) of the GDPR.
(3) Article 3.2 of the GDPR.
(4) ECJ, Google Spain v. Costeja Gonzalez, C-131/12 (May 13, 2014).
(5) Article 12-14 of the GDPR.
(6) Article 83.5 of the GDPR.
Why use this endnote approach in writing for the web? Make useful links here, so the reader can go directly from your sentence to the relevant provision, substantiating what you are saying and dealing with the text itself rather than paraphrase.
| | |
| |
<
< | The question with which you title the essay is a good one, but it was never even slightly answered. Instead we have only a paraphrase of statutory material never actually used or discussed, and a series of lightly-expressed policy arguments that don't tell us what the point is. So, in the next draft, let's try to find out what is the point: | | |
- Why do we have "data protection"? Is the point to protect data, or people? If we are protecting people, what is the harm apprehended, and how does law prevent harm?
- Are these rules based on contractual freedom? If so, why should we not expect them to be contracted around? If not, what is the condition of market failure or the theory of liability on which the regulation displaces private ordering?
|
|