GDPR – we don’t have a choice

The 25th of May 2020 marks the 2^nd anniversary for the General Data Protection Regulation, which handles how (personal) data should be processed. Even though it’s a regulation for and by the European Union, it had an impact on privacy discussion around the globe, for two reasons. The first reason lies within the regulation itself, which states that companies need to comply to that rule whenever it concerns a EU-citizen. In a globalized world, this essentially means that quite a few companies had to take a look into their data-handling processes to avoid punishment. The other reason why the GDPR has been a global topic for discussion is its function as a role model – more and more Countries and States are passing similar laws, using the GDPR as a template. But can the GDPR be seen as a success or has it failed its promises? Let’s take a closer look at the changes for consumers that GDPR has brought.

Let’s take a look at the fundamental rights set forth in the GDPR.

1. The right to be informed – organizations must be transparent in how they are using personal data. In real life, this translates into the “privacy” section which is now mandatory for every website or app. However, mandatory usually doesn’t mean that it’s fully understood – by both the company and the consumer. Or even read, for that matter. The problem here is twofold. One, most consumers always chose convenience over privacy. Meaning that if they want a certain information or functionality, they usually don’t care which data they have to give up for it. On the other hand, especially smaller organization don’t really have the full transparency on the data. Take Google Analytics as an example: a lot of website use this service and while their privacy statements usually say so, hardly anyone actually knows how this data is obtained.
2. The right to access – similarly, while organization have to give every individual the right to tell them which information is held and how it is processed, invoking this right can be more difficult than it seems. While stories of collected data send in a binder through the postal service are exaggerated, as an individual it’s still hard to sift through all the data that some companies collect. A good example is facebook – asking them for data will give you data – but the result will not make you any wiser, but rather take up a significant chunk of your hard drive.
3. The right of rectification – this can be a powerful weapon for consumers. However, if you take a look at the two topics mentioned above, it looks different. If the effort in obtaining and analyzing your own data is too high, it’s difficult to find that one error which potentially prevented a consumer to receive that much needed mortgage.
4. The right to erasure – this, on the other hand, can actually be viewed as a success. Most organization will give you the option of completely erasing all data when you signed up for a service you only wanted to give a try and decide you don’t like after all. The question is: how many consumers actually use this right?
5. The right to restrict processing – a good example where GDPR seemingly fails reality. Sure, anyone can ask a service provider to not process his/her e-mail address, as an example. In most cases, however, that will prevent access to the service itself, too. Put differently: you might have the right to restrict processing of your data, but mostly you don’t have any other choice but to agree.
6. The right to data portability – this is probably my favorite. It’s actually a great achievement, when you think of it: take your personal data with you, wherever you go. The clash with reality here is of a different flavor. Let’s say I’m registered with AirBnB for years, and now I would like to switch to a more specialized provider of holiday homes. According to GDPR I can take all of my data, including preferences, history, you name it, and hand it over to the new provider. That provider will probably tell me that they cannot process that data, as it’s in AirBnB format – which most likely they cannot use without tremendous effort of converting.
7. The right to object – similar to the right to restrict processing, this is usually not very helpful to customers. If I install an app which asks for permission to use my phone number and I reject that – the only option I have is not to install that app. Not much of a choice, really.
8. Rights of automated decision making and profiling – obviously, a lot of our data is used to get a better understanding of who we really are. This is helpful for advertisers, which then can target the right advertisement to me (or what they think is the right advertisement, anyway). It’s also useful for banks to decide whether someone will be able to pay back the mortgage they are requesting. But again, there’s a conflict between the right to object against profiling and having a real choice. If you object to the bank using your credit card history for verifying your mortgage request, you can certainly do so – but you most certainly will not receive the mortgage then, at least not from this bank.

Conclusion

The GDPR is certainly a big step forward, since for the first time it forced organizations to think more about what they are doing with the personal data they obtain from individuals. It’s also a big step forward for individuals, knowing that they have certain rights they can insist on. As seen above, however, most of these rights are theoretical in nature, at best. There is a difference in having a right to something and having the choice. With GDPR, everyone of us has the right to privacy – but in most cases not really the choice.

How can that change in the future then? In my opinion, a distinction needs to be made between the ownership and the possession of individual data. GDPR and all it’s siblings from around the world clearly state that each individual is the owner of his/her data. But only when we are in possession of our data as well can we perceive a world with true privacy for everyone.