much more than you think…
“The goal of this new regulation is to give citizens back control over their personal data and to simplify the relevant regulatory environment for businesses. The reform of data protection will play a key role in implementing the Digital Single Market, which is a high priority for the Commission. The reform will allow European citizens and businesses to fully benefit from the new digital economy”…
Could a law reveal the true extent of the everyday phenomenon it attempts to regulate, far more than (mainstream) social experience has understood it to be? Usually, state legislation follows social awareness and the controversies surrounding issue A or issue B. The case of the (European) General Data Protection Regulation (GDPR) is an exception. While life as a whole (primarily in societies of advanced capitalism, in both the East and the West) is increasingly “datafied,” it is this law—intended to protect, in its own terms, individual rights and freedoms—that shows just how far the process has already gone!
And so this effort for a digital habeas corpus, 1 as a “stone in the dynamic fluidity of the cyber universe,” creates concentric circles of reactions (and non-reactions) around it. The mere fact that everyone (even from school age!) should study this law of 11 chapters and 99 articles, with the help of various accompanying (and particularly enlightening) texts (it is more important than the Penal Code!!!), in order to realize how universal and without any control of their own the “creation of their data-self” already is and how easy and “invisible” is their processing (therefore their appropriation) by states, para-states, companies but also by whoever “invents” an application (that will break the bank), this fact alone reveals a huge political and social “black hole” within primordial reality. The reality of societies most of which remain trapped in infantile or/and pathologically delayed perception of (capitalist) reality, a perception that exhausts itself in the mythologization “of the threat of foreigners” (of migrants); oblivious, doomed and happily handed over to the gears of the digitization of everything.
And if you ignore such a reality, it is impossible to understand what digital slavery means! How, then, will you understand the opposite, namely what the words “individual rights” and “individual freedoms” could mean in the new capitalist Paradigm? We fear that the “general data protection regulation” will not act as a last resort for the political awakening of citizens. But only as an additional “legal material” for law firms! (Wrongly!!! Very badly!!!)
The “general regulation” was adopted on April 14, 2016; it is not, therefore, a product of the most recent “revelations” about mass data thefts aimed at electoral manipulation in the US (Trump’s election) and in England (Brexit). A two-year transitional period for its implementation had been foreseen. And as of May 25, 2018, it has been mandatorily applicable in all EU member states. 2 Because it is a regulation and not a directive (differences in terminology within European bureaucracy), the “general regulation” does not require legislative approval from national governments. It is binding and mandatorily applicable.
The “general regulation” is an improvement and adaptation to the technological, economic and social developments of a European directive of 1995, regarding “data protection”. It provides significant enhancement of privacy of personal data: their protection; the consent of individuals to storage, use and circulation beyond the needs of the specific use for which they are required; their storage with pseudonyms or anonymously when it comes to business databases; and the enhancement of the ability of those affected by the misuse of their personal data to request (high) compensation, are some (though not the only) serious improvements compared to what was provided by the ’95 directive.
consent
As a specific content of the “general regulation”, more accessible and, at the same time, more urgent to understand, we have chosen the issue of the person’s consent to the management of their personal data by (business, state, economic, etc.) “entities” that provide services based on such data.
In the previous directive (of ’95), the non-explicit “no” to this management meant acceptance – the provision was in favor of “entities”. With the “general regulation” the situation changes: there must be explicit consent from the person; otherwise, refusal is implied. Or abuse by the data collector/processor.
Article 4 (11) of the “general regulation” deals with determining what constitutes explicit and legitimate consent. To qualify as such, it must:
– have been given freely;
– be specific;
– be preceded by appropriate information provided to the individual; and
– there must be confirmation, beyond any doubt, of the individual’s desire to provide their personal data, through a statement or other clear act of authorization, indicating their agreement with the processing of this data.
In more detail (we translate excerpts from the relevant supporting and quite enlightening report of the WP29 “working group” on consent):
> to have been given freely
The element of “freedom” means genuine choice and control on the part of the data subjects. As a general rule, the “general regulation” defines that if the data subject does not have genuine choice, feels coerced to consent, or will suffer negative consequences for not consenting, in these cases the consent is invalid. If consent is requested as a non-negotiable part of terms and conditions, it is considered not to have been given freely. Consequently, consent is not considered free if the data subject cannot refuse or withdraw their consent without consequences. The issue of power imbalances between the data collector and the data subject is taken into account in the “general regulation”.
[Example 1]
A mobile image editing application asks its users to enable GPS location tracking in order to use the app. The application also informs its users that the data it collects will be used for behavioral advertising purposes. Neither location tracking nor online behavioral advertising is necessary for providing image editing services, and they go far beyond the basic features of the service offered. If users cannot use this application without consenting to these requests, their consent cannot be considered freely given.
> imbalance of forces
There is the view that public authorities cannot satisfy the above conditions of the data subject’s consent when they are the ones collecting the data, given the clear imbalance of power between public authorities and the data subject. It is also clear in most cases that the data subject has no real alternatives other than to accept the data processing terms disclosed by the public authority that collects the data. The Article 29 Working Party (WP29) considers that there are other legal bases that are more appropriate in principle to the matter of public authorities’ activities.3
However, with the acknowledgment of these general observations, the use of consent as a legal basis for data processing by public authorities is not entirely excluded from the legal framework of the “general regulation”. The following examples show that the use of consent must be sought in specific cases.
[Example 2]
A municipality is planning road repair works. Since these works will affect traffic in the area for a considerable time, the municipality offers citizens the option to subscribe to a mailing list to receive updates on the progress of the works and expected delays. The municipality makes it clear that participation in this list is not mandatory, and requests consent to use the email addresses for this specific purpose. Citizens who do not consent should not be excluded from any essential service provided by the municipality, or from exercising any of their rights, so they can freely give or withhold their consent for this particular use of their personal data. All information about the road works should also be available on the municipality’s website. [Example 3]
A private landowner needs specific permits from both the local municipality and the regional administration to which the municipality belongs. Both public services require the same information to issue the permits, but they do not have access to each other’s databases. Therefore, both request the same information, and the landowner sends the same data to both services. The municipality and the region ask the individual for his consent to merge the files concerning him, in order to avoid duplicate procedures. Both services assure that this merger is optional, and that the individual’s applications will proceed separately if he chooses not to give his consent for the data merger. The landowner is considered able to freely give his consent to the authorities for the specific purpose. [Example 4]
A public school requests the consent of its students to use their photographs in a student magazine. Consent under these conditions should be a genuine choice, to the extent that students will not be deprived of education or other related services, and will be able to refuse the use of their photographs without any consequences.
Power imbalance also exists in employment relationships. Given the dependency arising from the employee/employer relationship, it is unlikely that the data subject will be able to deny their employer consent to process their data without feeling fear or risk of consequences from such denial. It is unlikely that an employee will be able to freely respond to their employer’s request for consent, for example, to activate a camera system in the workplace, or to complete certain forms, without feeling pressure to consent. Therefore, the WP29 considers it problematic for employers to process personal data of their current or future employees based on consent that is unlikely to be given freely. For the majority of processing such employment-related data, the legal basis cannot and should not be the employees’ consent, due to the relationship between employees and employers. 3
However, this does not mean that employers should never request consent as a legal basis for data processing. There may be cases where it is feasible for the employee to freely give or withhold their consent. Given the power imbalance between an employer and their employees, workers can only freely give their consent in special cases, when there are no consequences for refusing.
[Example 5]
A film crew is about to shoot scenes in a specific section of an office. The employer asks all employees sitting in their offices in this section whether they consent to being filmed, as they will appear as background in the video. Those who do not agree to be videotaped are not punished in any way, but on the contrary, they must be provided with equivalent offices at another location in the workplace for the entire duration of the filming.
The imbalance of power is not limited to public authorities and employers, it can occur in other cases as well. As WP29 emphasizes in various opinions, consent has value only when the data subject can make a genuine choice, and there is no risk of deception, coercion, or significant negative consequences (such as, for example, additional costs) if they do not consent. Consent is not considered free when there is any element of coercion, pressure, or inability to exercise free will.
> compatibility
In order to determine whether consent has been given freely, Article 7 (4) of the “general regulation” plays an important role.
Article 7 (4) of the “general regulation” clarifies that, among other things, “bundling” consent with the acceptance of terms and conditions or “tying” the provision of a service or the acceptance of a contract with consent for the processing of personal data that are not necessary for the performance of that contract or the provision of that specific service is considered highly undesirable. If consent is given under these conditions, it is considered not to have been given freely. Article 7 (4) aims to ensure that the purpose of processing personal data is neither disguised nor bundled with the provision of a contract or service for which these personal data are not necessary. The “general regulation” ensures that refusal of consent in these cases by the data subject will not lead to denial of service provision.
Forcing agreement for the use of personal data beyond what is strictly necessary limits the individual’s choices and prevents them from freely giving their consent. Since the purpose of the “general regulation” is to protect fundamental rights, everyone’s control over their personal data is crucial. And there is a strong assumption that consent for processing personal data that is not strictly necessary cannot be considered as a mandatory obligation in exchange for fulfilling a contract or receiving a service.
…
[Example 6]
A bank requests its customers’ consent to use their card payment details for commercial purposes. This processing operation is not necessary for the contract they have with customers and for providing regular banking services. If the customer’s refusal to consent to this purpose of data processing may lead to denial of banking services, account closure or increased charges, consent cannot be given freely.
….
> distribution
A provided service may involve multiple processing procedures to achieve more than one purpose. In such cases, data subjects should be free to choose which purposes they accept, rather than being required to give their consent as a lump sum. In such a case, several and separate consents should be secured in order to provide the service, in accordance with the “general regulation”.
…
If the data controller has grouped various purposes to be served by the processing and has not ensured separate consents for each purpose, there is a lack of freedom. This distribution is closely interwoven with the need for consent to be specific. When data processing is carried out to serve various purposes, the solution compatible with the legislation for reliable consent lies in distribution. That is, in separating the purposes and seeking consent for each one separately.
[Example 7]
Through a consent request, a merchant asks his customers to consent to the use of their personal data in order to send them advertisements via mail, and also to share the details of this data with other companies within the same group. This consent is not granular, since different consents are not requested for these two separate purposes. Consequently, this consent, even if given, is not considered valid.
So?
The most striking thing certified by the “general regulation” (and the few excerpts above regarding its rationale are telling) is that our entire daily life has been transformed (or encoded) into data. Data. Data of daily habits; data of purchases and payments; data of mediated social relationships (social media); data of health, physical and “psychological”; data of education; data of relationships with the law; data of movement in the city or/and travel; data of work… Data, data, data everywhere!!!
It is so massive, distinct, dynamic, this generalized data-fication that it resembles, if we may say so, an exhalation. The scope, complexity, and utilization of data through their “processing” escape those who are constantly “analyzed as data” (and this will become even more intense as time passes…); but not those who can exploit them. Commercially, economically, disciplinarily.
Thus, the European “general regulation” appears to be far ahead of any everyday awareness. Which until now was condensed into a reluctant (and full of ignorance) “acceptance” (in English: accept) of various demands (related to the provision and processing of personal data). It is not ahead simply from a “technical perspective.” But because it is a legal mapping indeed of the generalized data-fication, aiming to limit it; to put brakes on, as we might say, the indiscriminate interception of all this data – while there is complete ignorance about their “value” and any utilization thereof.
From ignorance and indifference to knowledge and readiness to defend one’s individual digital or digitizable data against those who desire it; is such a thing feasible? From the few examples of WP29 we mentioned above, it is clear to us that if everyone wants to use the provisions of the “general regulation” they will have to be (schematically!) with their “finger on the trigger” constantly! Simple everyday moves: you pay at the supermarket or gas station with a credit card (because, of course, the state as a brave one tries to make it mandatory); What does the grocery company or the gas company do with your personal data? What does the bank do? Does it ask you and you agree because you are bored or do not understand? Doesn’t it ask you and writes you normally?
Even worse: in a society (like the Greek one) where the application of the few but existing labor rights is not strictly and systematically pursued by ourselves, will this hard (but necessary!) defense of digital rights be created to the extent needed? I wish – but we are not optimistic…
It becomes clear, however, what individual (and collective) self-protection could mean in the rapidly evolving digital capitalist world. There is, for example, the idea that if someone avoids Gmail (and thus Google), they are virtually “digital outcasts”—at least as far as their communication with others is concerned. At the same time, smartphones function, whether their owners want it or not, as permanent spies, 24 hours a day.
Self-protection in the 21st century cannot be effective with just a small trick here or there. The extent of digital technology use and networking is far greater, deeper, and more intensive than what each person empirically understands. Will someone queue again at a counter (for example) to buy any kind of ticket? Probably not. Will they resend their tax declaration handwritten? No. And so on. It will take, we fear, a long time before the concept (and scope) of privacy becomes common property again; and, consequently, the limits to its violation by employers, states, etc. (Meanwhile, companies in cyberspace appear ready to circumvent the spirit, and where possible even the letter of the “general regulation”….)
There is another dimension to the European “general regulation.” That of intra-capitalist competition. It is known that the “monopolies” of big data are American companies, of the kind google, facebook, etc. The GDPR, beyond its everyday usefulness at any small, individual, personal scale, can be recognized as a link within a series of actions on the part of the EU against American interest companies – and not generally against large companies. Especially in the field of information technology, it is almost common knowledge in European circles that Europe has fallen behind in relation to the USA and probably also in relation to China. “Restrictions” on information flows to American companies therefore!
It is not a coincidence that countries such as Russia, China and Iran impose strict restrictions on the use of cloud services and social networking. Not necessarily because they are “backward” countries (as if the use of social networks is a certificate of progressiveness!), but because the data collected by many of these services are essentially under American jurisdiction – recent revelations about how easily American intelligence services accessed the servers (and devices) of non-American companies and citizens of various countries.
Ziggy Stardust
cyborg #12 – 6/2018
- The first written codification of habeas corpus refers to England, in 1679; cases of refuge before the courts, however, are reported much earlier. Habeas corpus meant (in medieval Latin) “you have (hold) your body.” And it was related to cases of abusive arrest and imprisonment of citizens (by rulers or their organs). The recognition of “ownership over your body” became the basis for limiting the powers of rulers. It could be said that the “General Data Protection Regulation” is a kind of “recognition of individual ownership over the digital self”… ↩︎
- The fact that there was some noise in our parts after May 25, and that for 2 years this law was ignored (while it should have already been implemented, and all the necessary technical adjustments should have been made, but, mainly, the social awareness of the issue), foresees its substantial neglect; certainly in our parts. Companies will find ways to “drill” it, the “customers” will remain unaware as before; and only occasionally, in some “gross case”, will specialized law firms and lawyers intervene… ↩︎
- What WP29 indicates on this issue requires attention. It states that because there is an inequality of powers (either in relations with public services or in relations with employers) any “consent” is considered a priori unfree. And it cannot be used either by public services or by employers as an argument in their favor.
In these cases (except for a few exceptions) the responsibilities of those who collect and process personal data are regulated by other articles of the “general regulation”. ↩︎